Virtual device drivers (VxDs) are not just for people writing drivers for hardware devices anymore than DOS device drivers are used for the same. A VxD is Windows' way of letting you do almost anything you want. If you miss the DOS world - where you have direct access to the hardware, can interface to vital CPU functions, or can take over parts of the operating system - then welcome to VxDs, where you can do the a lot of same under Windows.
A VxD is code and data that runs at ring 0 in 32-bit flat model as part of the Windows 386 virtual machine manager (VMM). In fact, the VMM (WIN3B6.EXE) is primarily a numbex of standard VxDs compounded in a single file. VxDs only operate when Windows runs in 386 Enhanced mode.
VMM is not really a part of Windows; instead, it is a preemptive, multitasking kernel that controls multiple virtual machines. Once VMM has initialized, the Windows Graphical User Interface composed of KRNL386.EXE, GDI.EXE, USER.EXE, and all of the supporting drivers are loaded into the System VM (the initial virtual machine created when VMM is started). However, VMM could easily load COMMAND.COM into the System VM and with the assistance of a VxD and some helper hot-keys, so that you have a multitasking DOS instead of the fancy Windows GUI.
Because VxDs operate at ring 0, the operating-system level of protection, the CPU allows the code to execute any 386 instruction. At higher ring levels, access to memory addresses or I/O ports can be restricted from the VM, allowing the VMM or a VxD to process the exception as it wishes. Of course, certain instructions executed by the VM always cause processor exceptions, but a VxD can simulate the functionality of that instruction for the VM, allowing it to operate as if it has sufficient privilege.
With this power comes responsibility. Although a VxD can play with the Interrupt Descriptor Table (IDT) entries directly, this is something that should probably be avoided. Besides, the VMM provides enough functionality to get as close the IDT as needed, so why reinvent the wheel?
A VxD is always active, unlike any other part of Windows. When a DOS box is running exclusive mode, the primary code executing apart from the DOS box itself includes any VxDs responding to IRQs, code causing faulting instructions, and trapped I/O or page faults in the DOS box.
A VxD is the only program with unobstructed access to the hardware. If a VxD performs I/O to a port, it communicates directly to the physical port, without restrictions. If a VxD owns a hardware interrupt, the VxD receives the IRQ directly from the Virtual Programmable Inten`upt Controller Driver (VPICD), without ring transitions. For example, an interrupt service routine for an non-owned interrupt in a VM sees a virtualized interrupt through events scheduled by the VPICD, whereas a VxD has a more direct path for interrupt servicing. Where code communicating to hardware in a VM may be restricted or slowed by ring transitions and access permission lookups, a VxD is unrestricted and extremely fast.
VxDs operate in 32-bit flat model, the 386 equivalent of small model. All of the segment registers are fixed to the same base address. The CS and DS selector values differ, due to access and execution restrictions (code versus data), but point to the same memory. Because a VxD is in 32-bit flat model, all offsets to code and data are 32-bit; therefore, you can access any part of the address space (4 gigabytes) with just an offset.
A VxD is also given priority on all actions in a VM. A VxD can intercept and/or generate interrupts (hardware or software), trap port I/O, and even restrict access to specific regions of memory. VxDs can determine whether to allow such access to occur, provide simulation, terminate (or nuke) the VM, or simply ignore the request.
Because VxDs utilize the base components of the 80386 chipset, it is important that you have a working knowledge of 386 architecture (footnote:For a good description of 80386/80486 system architecture, see Hummel, Robert L. (1992), PC Magazine Programmer's Technical Reference: The Processor and Coprocessor, Emeryville, CA: Ziff-Davis Press.)
A misbehaving MS-DOS application will usually crash the DOS virtual machine. A misbehaving Windows application may affect the operation of other Windows applications. However, a misbehaving VxD will erash the entire Windows operating system. Because a VxD is part of the WIN386 kernel, the VxD is active during critical processing of the Windows operating system. The smallest, most subtle bug can have devastating effects on the operating system. Thorough testing of virtual device drivers is absolutely necessary. Do not simply test how the VxD operates under stringent configurations; instead, expand your testing to include all possible permutations of enduser system configurations you can design (limited only by a testing hardware budget of course!).
VxDs were originally designed to handle hardware device contention between multiple processes and to translate or buffer data transfers from a VM to hardware devices. When two or more programs attempt to access the same device, some method of contention management must be used. You can use a VxD to allow each process to act as though it has exclusive access to the device. For example, a Virtual Printer Device (VPD) would provide the process with a virtual printer port, and characters written to the port would be written to a print spooler. The VxD would then send the job to the printer when it becomes available. Windows 3.X does not operate in this fashion, but the Win-Link VxD provides this functionality (see Chapter 14 for more information). Another method would be to assign the physical device to only one process at a time, so that when a process attempts to access the device while it is in use, the VxD does not pass the request to the actual hardware, and the process operates as though the hardware did not exist. The Virtual COMM Device (VCD) uses this method.
Recently, the use of VxDs has been expanded to include interprocess communication (demonstrated in the Win-Link example). Some VxDs now also implement a truly virtual device, providing the necessary mechanisms to allow a virtual machine to see a device that may not actually exist in hardware. VxDs can also implement client-server hardware management, providing an interface to a VM that virtualizes I/O to the device and translates this information to commands to be sent across a network to a hardware server.
Real-Mode Initialization Segment
The real-mode initialization segment is a 16-bit code and data segment of the VxD defined
by the VxD REAL MODE INIT SEG macro and is called during VMM's startup. This
allows a VxD to communicate with TSRs or other real-mode procedures to gather and then pass vital information to the VxD's protected mode initialization routines or to fail the load of the VxD or VMM prior to entering protected mode. The term "real-mode initialization" is relative. If you have installed an EMM emulator (EMM386, 386Max, or QEMM), it is likely that the real-mode initialization procedures are invoked in V86 mode and are subject to trapped I/O or other virtualization occurring under these systems. In other words, during real-mode initialization, VMM does not switch the processor to real mode and then call these procedures. Instead, it executes the 16-bit code in the mode configured prior to the startup of VMM (such as invoking WIN.COM).
Note: Due to problems in Windows 3.x, you will need to make sure that your real-mode initialization segment is not exactly 4k, 8k, 12k, or 16k in size. Additionally, real-mode initialization segments greater than 8k (or 12k in Windows 3.1 ) must be a multiple of 4. Real-mode initialization segments cannot be greater than 12k under Wlndows 3.0 or greater than 16k under Windows 3.1. Using code segments greater than these restrictions wiIl cause problems and will eventually hang VMM. These problems were reported on the CompuServe WinSDK forum and confirmed by Developer Support Engineers. Avoid these problems with real-mode initialization by adding the necessary boundary checks in your code.
Protected-Mode Initialization Segment
The 32-bit initialization code and data segments defined by the VxD_ICODE_SEG and VxD_IDATA_SEG macros are present until VMM has completed initialization, at which time they are discarded, freeing the memory used by these sometimes cumbersome pieces of code. These initialization procedures can determine whether it is safe to load the VxD or to bail out prior to further initialization. Thus, the VxD load can fail, the user can be notified, and there will be no memory wasted for the VxD when the VMM completes initialization.
Pageable Data Segments
Because VxD segments are locked by default under Windows 3.x, using data segments to store large amounts of constant data can be a waste of physical memory. One method to resolve this issue is to store the data in the initialization data segment and allocate pageable memory using _HeapAllocate during the Device_Init call. You can copy the data from the initialization segment to this block, and when system initialization has completed, the original data will be discarded.
Device Declaration Block (DDB)
The device declaration block describes the virtual device to the VMM. lt provides a VxD mnemonic, usually a somewhat descriptive title using V as the prefix and D as the suffix, such as VXFERD, suggesting a virtual transfer driver. It also provides a major and minor version, the main control procedure, the device ID number, the initialization order, and control procedures for the V86 or Protected-Mode (PM) API:
Declare_Virtual_Device VSIMPLED, VSIMPLED_Major_Ver,\ VSIMPLED_Minor_Ver,\ VSIMPLED_Control_Proc,\ VSIMPLED_Device_ID,\ Undefined_Init_Order,\ VSIMPLED_V86_API_Proc,\ VSIMPLED_PM_API_Proc
This declaration dispatches the system control events to the VSIMPLED_Control_proc. This procedure must be declared in a VxD_LOCKED_CODE segment, which handles system event control such as the initialization dispatch, VM control events (creation or suspension of VMs), device focus changes, and system shutdown notifications. Defining it in any other segment will cause problems.
VxD Control Procedure
The control procedure is the main dispatch entry point for the VxD. The initialization messages from VMM are sent to this procedure and then dispatched to the appropriate handlers:
VXD_LOCKED_CODE_SEG ;---------------------------------------------------------- ; VSIMPLED Control Proc ; ; Description: ; This is the entry point for system control calls from VMM. ; Control for system messages are dispatched through the ; Control_Dispatch macro in VMM.INC. ;---------------------------------------------------------- BeginProc VSIMPLED_Control_Proc Control_Dispatch Sys_Critical_Init, VSIMPLED_Sys_Critical_Init Control_Dispatch_Device_Init, VSIMPLED_Device_Init EndProc VSIMPLED_Control_Proc VXD_LOCKED_CODE_ENDSVXD_LOCKED_CODE_SEG and VXD_LOCKED_CODE_ENDS are macros that define a segment of 32-bit code in a page-locked segment. Defining this segment as "page-locked" is necessary because the calls are dispatched during critical processing of the VMM. This procedure cannot be included in the initialization code segments, because it would be discarded after VMM completed its startup procedures and system failure would occur when the VMM attempted to dispatch a control message to the VxD during later processing.
The BeginProc and EndProc macros define the beginning and end of a specific VxD entry point. These macros define the procedure name of a VxD, declare it callable by other VxD, align the procedure for "fast-calling", declare the procedure as public for access outside of this module, or additionally define the procedure as an asynchronous service callable from another VxD at interrupt time. The valid parameters to BeginProc macro are PUBLIC, HIGH_FREQ, SERVICE, and ASYNC_SERVICE, and their functionality corresponds to the following table:
PUBLIC Procedure is callable from an external module HIGH_FREQ Aligns this procedure on a DWORD boundary. Useful for procedures called frequently such as hardware interrupt procedures or I/O trapping routines. SERVICE Procedure can be called from another VxD. Requires an exported service table. ASYNC_SERVICE Same as SERVICE, but the VxD routine can be called during interrupt procedures. VxD services that do not specify this option and are called at interrupt time will cause debug traces when using the debug version of VMM (WTIN386.EXE). If you declare a service to be asychronous be sure that it is atomic or can be interrupted while processing the request.
Virtual Device ID
A specialized VxD ID may be required if your VxD provides an external V86 or PM API or if your VxD exports services callable by other VxDs. In these cases, you need to request a VxD ID from Microsoft (Internet address vxdid@microsoft.com; CompuServe email, >INTERNET:vxdid@microsoft.com). Microsoft will send you a registration form, which you will need to fill out and return for processing.
If you are replacing an existing VxD, such as the Virtual Comm Device (VCD), you should use the value specified in VMM.INC. The replacement VCD would then have a device ID of VCD_Device_ID. Otherwise, assuming that your VxD does not provide an external API or services, you can use the predefined value of Undefined_Device_ID.
Initialization Order
The initialization order of the DDB defines the load order of the virtual device drivers. VMM will load and initialize the VxDs in the order specified by the load-order values. For most secondary virtual device drivers, the Undefined_Init_Order equate is sufficient. If your VxD requires other VxDs to be present and initialized prior to calling your initialization procedures, you need to specify a load order constant here.
API Entry Procedures
API entry procedures are invoked when a VM running in either protected mode or V86 mode calls the VxD's entry point. A VxD entry point is available to VMs only when the VxD defines the necessary entry procedures in the DDB. These procedures are discussed in depth in Chapter 4.
System Critical Initialization (Sys_Critical_Init)
VMM dispatches a Sys Critical Init message to all VxDs in the order defined by the Initialization Order values of the VxDs. During Sys_Critical_Init, interrupts are disabled, and VxDs perform system-critical initialization such as memory mapping and hooking V86 interrupts or faults. Because interrupts are disabled, you should keep the initialization during this message to a minimum.
Sys_Critical_Init may also be used to hook your VxD in front of certain handlers, such as GP fault or NMI processing. Sys_Critical_Init is an optional procedure, and you should only define this procedure if you have specific initialization to perform. Below is a sample Sys_Critical_Init handler as used in the VSIMPLED Sample:
;----------------------------------------------------- ; VSIMPLED Sys_Critical_Init ; ; Description: ; On entry, interrupts are disabled. Critical initialization ; for this VxD should occur here. For example, we can read ; settings from VMM's cached copy of the SYSTEM.INI and set up ; our VxD as appropriate. ; This procedure is called when the VSIMPLED Control Proc ; dispatches the Sys Critical_Init notification from VMM. ; We can notify VMM of failure by returning with carry set ; or carry clear will suggest success. BeginProc VSIMPLED_Sys_Critical_Init clc ret EndProc VSIMPLED_Sys_Critical_Init
Device Initialization (Device Init)
Device initialization is where non-system critical initialization of your VxD is performed. For example, you may want to install I/O trap handlers, virtualize an interrupt using VPICD services, or allocate a VM control block. Returning from this procedure with carry set will fail the loading procedure of the VxD. If everything has passed initialzation, clear the carry flag and return.
Using the information provided in this chapter, we are ready to create our first VxD. This skeleton VxD declares a DDB, and defines a control procedure supporting the two system initialization messages (Sys_Critical_Init and Device_Init):
MAKEFILE !IFDEF DEBUG DEFS=-DDEBUG !ENDIF .asm.obj: masm5 -p -w2 -Mx $(DEFS) $*; .asm.lst: masm5 -1 -p -w2 -Mx $(DEFS) $*; OBJS = vsimpled.obj all: vsimpled.386 vsimpled.obj: vsimpled.asm vsimpled.386: vsimpled.def $(OBJS) link386 /NOI /NOD /NOP /MAP @<< $(OBJS) vsimpled.386 vsimpled.map vsimpled.def << addhdr vsimpled.386 mapsym32 vsimpled clean: del *. 386 del *. obj del *. map del *. sym VSIMPLED.ASM page 60, 132 ;*************************************************************** ; title VSIMPLED - A simple virtual device driver example ;*************************************************************** ;**************************************************************** ; Functional Description: ; Provides a minimal virtual device driver interface. ;**************************************************************** .386p ;================================================================ ; I N C L U D E S & E Q U A T E S ;================================================================ .XLIST INCLUDE VMM. Inc INCLUDE Debug.Inc .LIST VSIMPLED_Major_Ver equ 01h VSIMPLED_Minor_Ver equ 00h VSIMPLED_Device_ID equ Undefined_Device_ID ;================================================================ ; V I R T U A L D E V I C E D E C L A R A T I O N ;================================================================ Declare_Virtual_Device VSIMPLED, VSIMPLED_Major_Ver,\ VSIMPLED_Minor_Ver, VSIMPLED_Control_Proc,\ VSIMPLED_Device_ID, Undefined_Init_Order,,, ;================================================================ ; I C O D E ;================================================================ VxD_ICODE_SEG ;---------------------------------------------------------------- ; VSIMPLED Sys Critical_Init ; ; Description: ; On entry, interrupts are disabled. Critical initialization ; for this VxD should occur here. For example, we can read ; settings from VMM's cached copy of the SYSTEM.INI and act ; set up our VxD as appropriate. ; ; This procedure is called when the VSIMPLED_Control_Proc ; dispatches the Sys_Critical_Init notification from VMM. ; ; We can notify VMM of failure by returning with carry set ; or carry clear will suggest success. ;--------------------------------------------------------------- BeginProc VSIMPLED_Sys_Critical_Init Trace_Out "VSIMPLED: Sys_Critical_Init" clc ret EndProc VSIMPLED_Sys_Critical_Init ;--------------------------------------------------------------- ; VSIMPLED_Device_Init ; ; Description: ; This is a non-system critical initialization procedure. ; IRQ virtualization, I/O port trapping and VM control ; block allocation can uccur here. ; ; Again, the same return value applies... ; CLC for success, STC for error notification. ;--------------------------------------------------------------- BeginProc VSIMPLED_Device_Init Trace_Out "VSIMPLED: Device_Init" clc ret EndProc VSIMPLED_Device_Init VxD_ICODE_ENDS VxD_LOCKED_CODE_SEG ;=============================================================== ; N O N P A G E A B L E C O D E ;=============================================================== ;--------------------------------------------------------------- ; VSIMPLED Control Proc ; ; DESCRIPTION: ; Dispatches v MM control messeges to the appropriate handlere. ; ENTRY : ; EAX = Message ; EBX = VM associated with message ; ; EXIT : ; Carry clear if no error (or if not handled by the VxD) ; or set to indicate failure if the message can be failed. ; ; USES : ; All regigters. ;--------------------------------------------------------------- BeginProc VSIMPLED_Control_Proc Control_Dispatch Sys_Critical_Init, VSIMPLED_Sys_Critical_Init Control_Diapatch Device_Init, VSIMPLED_Device_Init clc ret EndProc VSIMPLED_Control_Proc VxD_LOCKED_CODE_ENDS END ;--------------------------------------------------------------- ; End of File: vsimpled.asm ;--------------------------------------------------------------- VSIMPLED.DEF LIBRARY VSIMPLED DESCRIPTION 'W386 VSIMPLED Sample Device (Version 3.10)' EXETYPE DEV386 SEGMENTS _LTEXT PRELOAD NONDISCARDABLE _LDATA PRELOAD NONDISCARDABLE _ITEXT CLASS 'ICODE' DISCARDABLE _IDATA CLASS 'ICODE' DISCARDABLE _TEXT CLASS 'PCODE' NONDISCARDABLE _DATA CLASS 'PCODE' NONDISCARDABLE EXPORTS VSIMPLED_DDB @1
Before entering the Windows environment, you need to copy the debug version of the VMM into your system directory. The Windows 3.1 Device Development Kit contains this special version. There are many reasons to use this version of the VMM when developing your VxDs:
Using the debug version of WIN386.EXE requires either a serial terminal on COM1 or COM2 and WDEB386, the 386 debugger included with the Windows Software Development Kit and Device Driver Development Kit, or a Windows Enhanced Mode Debugger such as Soft-ICE/WTM available from NuMega.
The VSIMPLED device displays trace information at each initialization phase. Before the GUI starts, break into the debugger by using the appropriate hot-key (Control-D for SoftICE/W or a Control-C from the terminal keyboard for WDEB386) and unassemble the VSIMPLED_Sys_Critical_Init procedure:
Registration # SIW012345 :ALTSCR OFF :LINES 50 :iihere on :wc :x VSIMPLED: Sys_Critical_Init Break Due to Hot Key D800:00001A20 MOV CX,0040 :u VSIMPLED_Sys_Critical_Init VSIMPLED_Sys_Critical_Init 0028:8029478C CALL [Log_Proc Call] 0028:80294792 PUSHFD 0028:80294793 PUSHAD 0028:80294794 MOV ESI,VSIMPLED DDB+38(80OFEA2C) 0028:80294799 CALL [Out_Debug_String] 0028:8029479F POPAD 0028:802947A0 POPFD :g VSIMPLED: Device_Init VMM Version 03.10 - Build Rev 00000103 Break Due to Hot Key 0028:800110A6 CMP AX,0030 :u VSIMPLED_Sys_Critical_Init VSIMPLED_Sys_Critical_Init 0028:8029478C INVALID 0028:8029478E INVALID 0028:80294790 INVALID 0028:80294796 INVALID 0028:80294798 INVALID :g
Re-enter the debugger when the Windows GUI has completed initialization and unassemble the same procedure. You will find that the address is invalid because the initialization code and data segments were discarded after the device initialization was completed.
For more information on VMM's debugging services and debugging techniques, see Chapter 11, "Using the Debugging Services."
The VMM creates, runs, and destroys virtual machines (VMs). On startup, the VMM creates the System VM for the Windows GUI. The System VM interfaces to the SHELL VxD in VMM to create new virtual machines or DOS boxes - each new VM starts operation in Virtual 8086 (V86) mode. Because a VxD is a part of the VMM, it runs within whatever VM is active when it is called. Consequently, when a DOS VM calls a VxD, the VxD runs in protected mode in the context of the calling VM.
To write a VxD, you must have a clear understanding of how the VMM works
The execution path of VMM is driven by event lists. Event lists are linked lists of scheduled event procedure calls. These scheduled calls are created by the WIN386 system as the result of faults, interrupts, or specific VxD requests.
There are two types of event lists: the global event list and VM-specific event lists. The global event list is the event list for the VMM. As each VM is created, VMM creates an event list for specific events of that VM. Prior to returning control to a VM, VMM processes any events in the global event list, any pending NMI events (a special form of a global event), and then the VM event list as shown in Figure 2.1. Note that VM-specific events are only processed for the active VM.
When a VxD processes an event, it has complete control of the system. Because extended event processing reduces the system performance, the event procedure must be fast and avoid lengthy processing. Returning from the event allows VMM to continue the processing of the event list.
When VM events are created, the execution priority of the VM can be adjusted. This is also known as a "boost." The boost can be temporary (automatically removed by VMM) or can be specifically removed by the VxD when all of the necessary event processing for that VM is completed. The execution priority of a VM is used by the primary scheduler (execution priority scheduling) to determine the active VM. (See the section on Scheduling for more detail.)
When all events from the global event list and active VM event list have been processed, the primary scheduler walks the VM list searching for the VM with the highest execution priority. The VM with the highest execution priority becomes the active VM. VMM returns to the active VM until it is reactivated by interrupt or fault processing. When a VxD is processing an event, asynchronous VMM services may be called and new events generated as the result of IRQ handling. When an IRQ is generated by the PIC, the handlers installed into the IDT by VPICD (Virtual PIC Device) call the Hw Int Proc for the IRQ. During non-virtualized IRQ processing, the default VPICD handlers then schedule VM events for interrupt simulation. VxDs must be aware that VPICD handles interrupts while events are processed, and disabling interiupts during event processing may be necessary for VxDs performing critical hardware processing. IRQ handling is detailed in Chapter 7.
Because a VM does not continue executing until all events in the global event list and VM event list have been dispatched, the results of event processing in a VxD can become stacked in the VM. For example, a VxD processing a global timeout event may schedule an asynchronous call to a procedure in a VM. During this processing, the VxD may request that the VM resume execution. Before resuming execution of the VM, VMM processes any remaining events on the event list. If this includes an interrupt event scheduled by VPICD, the VxD may request a simulated interrupt in the VM. Finally, when VMM returns to the VM, the actual results of the event processing are executed in reverse order as pushed onto the VM's stack: The interrupt service is be processed first, before the callback scheduled by the timeout event.
When a VM is boosted, its order is changed in the queue. Normally, the active VM has a boost of Cur_Run_VM_Boost in as its execution priority. Devices that require a VM to become active as the result of I/O or interrupt processing may use a device boost of High_Pri_Device_Boost to force the VM to become active. This is typically implemented using the Call_Priority_VM_Event service. Using this service, VMM adjusts execution priority of the specified VM, and a callback is notified when the VM has activated. The VxD can then continue its processing for the VM. Figures 2.2 and 2.3 demonstrate the effect in the scheduling queue of changing the execution priority. The following code example demonstrates the technique of boosting a VM's execution priority:
// Example of calling priority VM event in 'C' DWORD dwEventHandle ; static PEVENTPROC pEventProc = NULL ; if (!pEventProc) pEventProc = vmmwrapThunkEventProc( BoostEventProc ) ; dwEventHandle = vmmCallPriorityVMEvent( hVM, High_Pri_Device_Boost, PEF_Wait_Not_Crit, dwRefData, pEventProc, 0 ) ; // Boost Event Proc - handler for VM event callback VOID BoostEventProc( DWORD hVM, DWORD dwRefData, PCRS_32 pCRS ) { TRACEMSGPARAM( "VM #EAX is now active\r\n", hVM ); } // end of BoostEventProc()
The secondary scheduler (or time-slice scheduler) adjusts the execution priority for VMs for a period of time based on the background and foreground priorities set for each VM. The secondary scheduler determines which VM to boost based on the time-slice priorities specified in the.PIF file of a DOS application.
The time-slice priorities are also used to determine how long the execution priority of a VM will be boosted. The boost value is constant - that is, changing the time-slice priorities does not affect the amount of execution priority boost that a VM receives. When the next time-slice occurs and the VM's time-slice period has been exhausted, the VM is unboosted and the next VM in the time-slice scheduler's queue receives the execution priority boost.
The time-slice scheduler's execution priority boost for a VM is low compared to other high-priority event processing. Thus, the high-priority VM remains active until it is unboosted or until another VM of higher priority is found in the primary scheduler s queue.
VMM, its component VxDs, and third-party VxDs can provide services callable by other VxDs. The calls to these services are resolved at runtime by the dynalink mechanism. The VxDCall and VMMCall macros provided by VMM.INC are expanded in code as follows:
int Dyna_Link_Int dd VxD_ID SHL 16 + VxD_Service < Clean up C parameters>
When the IDT dispatches the software interrupt to VMM, the dynalink routine patches the int 20h and the following dword with a direct call to the VxD service handler. Stack parameters to the service are passed with the 'C' calling convention. VxDJmp is similar to VxDCall, with the exception that stack parameters cannot be used and the resulting code jumps to the VxD service handler, avoiding the extra cycles involved when the service call is followed by a return instruction.
Under some 386 'C' compilers, you cannot generate the appropriate in-line assembly instructions to duplicate this interface and/or load the registers required by the service. Consequently, you need to use.ASM thunks to provide a 'C' callable interface. Similarly, replacement VxDs (for example, a replacement VCD) may require register-parameter passing, and an assembly language front-end is necessary. The VDDVGA sample was written in 'C' and demonstrates the techniques required to interface to some of these services.
Note: For more information on writing VxDs in 'C' see Chapter 10.
The primary scheduler implements a single critical section using the Begin_Critical_ Section and End_Critical_Section services in VMM. The critical section can be claimed on behalf of a VM by a VxD. The critical section is most commonly used when calling MS-DOS or BIOS interrupt handlers because these real-mode code pieces are not reentrant. However, the critical section can also be used for other drivers or TSRs loaded prior to starting WIN386.
Note that the critical section does not halt scheduling of VMs; that is, other VMs may be scheduled while the critical section is claimed. If a second VM attempts to claim the critical section, the VM is suspended until the current critical section owner has released the critical claim. When a VM claims a critical section, the execution priority of the VM is adjusted by the predefined value of Critical_Section_Boost; the execution priority is restored when the critical section is released.
The critical section allows a VxD to prevent multiple VMs from entering the same piece of code. If two VMs are executing and interfacing to the same TSR and the TSR can not handle multiple VMs calling simultaneously because it maintains global non-instanced data for the specific procedure, a VxD may wrap the V86 interrupt chain and claim a critical section prior to reflecting the interrupt to the VM. It releases the critical section when the interrupt has returned. This prevents two VMs from simultaneously entering the same interrupt routine in the TSR. The following example demonstrates hooking the V86 interrupt, watching for a specific signature, and claiming a critical section around the API call:
; ; Hook the V86 interrupt (Int 60h) ; BeginProc VSIMPLED_Sys_Critical_Init pushad mov eax, 60h mov esi, OFFSET32 VSIMPLED_Int60_Hook VMMCall Hook_V86_Int_Chain popad clc ret EndProc VSIMPLED_Sys_Critical_Init ; ; Watches for the API signature. If found, claims ; a critical section and hooks the "back-end". ; BeginProc VSIMPLED_Int60 Hook, High Freq cmp [ebp.Client_AX], 4257h jne SHORT VIH_Exit pushad ; ; Claim the critical section but allow interrupts ; to be serviced if we block. ; mov ecx, Block_Svc_Ints or Block_Enable_Ints VMMCall Begin_Critical_Section ; ; Hook the back end of the Int60 call. ; xor eax, eax xor edx, edx mov esi, OFFSET32 VSIMPLED_Int60_Complete VMMCall Call_When_VM_Returns popad VIH_Exit: stc ; always chain ret EndProc VSIMPLED_Int60_Hook ; ; Completes the Int 60h handling by releasing the ; critical section and returning. ; BeginProc VSIMPLED_Int60_Complete, High_Freq VMMCall End_Critical_Section ret EndProc VSIMPLED_Int60_Complete
VMM provides services to suspend and resume the execution of a VMs (Suspend_VM and Resume_VM). It is not possible for a VxD to suspend the execution of the System VM because VMM prevents this, but all other VMs can be suspended. Also, if a VM is the critical section owner, suspending the VM is not valid, and consequently the suspend call will fail.
When it suspends a VM, a VxD causes the VM to be removed from the active queue and added to the inactive queue. The primary scheduler does not activate this VM until it is resumed. If a VxD suspends a VM that is currently active, an immediate task switch occurs and the execution path in the VxD halts at the Suspend VM call. To see this, try using debug traces to "wrap" the call to the Suspend_VM service. The debug trace in front of this call displays and a task switch occurs as when the active VM is placed in the inactive queue (the VM with the highest priority becomes the active VM), after which global events and VM events are processed. When the suspended VM has been resumed, the debug trace after the Suspend_VM call in the VxD is displayed, as the execution path of the VM continues.
VMM provides services (Wait_Semaphore and Signal_Semaphore) that allow VxDs to block and unblock VMs, based on events occurring in the VxD that decrement a token count by signaling the semaphore. A VM waiting on a semaphore resumes when the token count is less than or equal to zero. Additionally, it is possible to specify that certain events can be processed in a blocked VM. The following list describes the flags associated with the Wait_Semaphore service:
Block_Enable_Ints Forces interrupts to be enabled and serviced even if interrupts are disabled in the blocked v M. (Only relevant if Block_Svc_Ints or Block_Svc_If_Int_Locked specified.) Block_Poll Causes the primary scheduler to not switch away from the blocked VM unless another VM has higher priority. Block_Svc_Ints Service interrupts in the VM even if the virtual machine is blocked. Block_Svc_If_Ints_Locked Same as Block_Svc_Ints with the additional requirement that the VMStat_V86IntsLocked flag is set.
Figure 2.4 shows the flow control possible using the semaphore services. For example, a VxD can signal or wait on semaphores in response to API calls from both the V86 VM (DOS application) and from the PM VM (Windows Application), allowing the VxD to control a data transfer channel through the VxD.
Because VMM is non-reentrant, only a subset of VMM's API is available when a VxD is entered through an asynchronous interrupt. Services in a VxD can be declared AsYNC and are available at interrupt time. If your VxD declares such a service, it may call only asynchronous services. The following tables list all the asynchronous services that may be called in interrupt handlers:
Asynchronous VMM Services Begin_Reentrant_Execution Get_Time_Slice_Info Call_Global_Event Get_VM_Exec_Time Call_Priority_VM_Event Get_VMM_Reenter_Count Call_VM_Event Get_VMM_Version Cancel_Global_Event List_Allocate Cancel_VM_Event List_Attach Close_VM List_Attach_Tail Crash_Cur_VM List_Deallocate End_Reentrant_Execution List_Get_First Fatal_Error_Handler List_Get_Next Fatal_Memory_Error List_Insert Get_Crit_Section_Status List_Remove Get_Crit_Status_No_Block List_Remove_First Get_Cur_VM_Handle Schedule_Global_Event Get_Execution_Focus Schedule_VM_Event Get_Last_Updated_System_Time Signal_Semaphore Get_Last_Updated_VM_Exec_Time Test_Cur_VM_Handle Get_Next_VM_Handle Test_Debug_Installed GetSetDetailedVMError Test_Sys_VM_Handle Get_System_Time Update_System_Clock Get_Sys_VM_Handle Validate_VM_Handle Asynchronous Debugging Services Clear_Mono_Screen Is_Debug_Chr Debug_Convert_Hex_Binary Log_Proc_Call Debug_Convert_Hex_Decimal Out_Debug_Chr Debug_Test_Cur_VM Out_Debug_String Debug_Test_Valid_Handle Out_Mono_Chr Disable_Touch_1st_Meg Out_Mono_String Enable_Touch_1st_Meg Queue_Debug_String Get_Mono_Chr Set_Mono_Cur_Pos Get_Mono_Cur_Pos Test_Reenter In_Debug_Chr Validate_Client_Ptr Asychronous VxD Services BlockDev_Command_Complete VPICD_Get_Complete_Status BlockDev_Send_Command VPICD_Get_IRQ_Complete_Status DOSMGR_Get_DOS_Crit_Status VPICD_Get_Status PageFile_Read_Or_Write VPICD_Phys_EOI VPICD_Call_When_Hw_Int VPICD_Physically_Mask VPICD_Clear_Int_Request VPICD_Physically_Unmask VPICD_Convert_Handle_To_IRQ VPICD_Set_Auto_Masking VPICD_Convert_Int_To_IRQ VPICD_Set_Int_Request VPICD_Convert_IRQ_To_Int VPICD_Test_Phys_Request VPICD_Force_Default_Behavior VTD_Update_System_Clock VPICD_Force_Default_Owner
The VMM implements two memory managers. The V86MMGR VxD manages memory for V86-mode applications, including Expanded Memory Specification (EMS) and Extended Memory Specification (XMS), and the Memory Manager (MMGR) provides services such as GDT/LDT management, global heap management, physical memory management, protected mode address translation, and V86 page management, including V86 address mapping and allocation.
If you are writing a virtual display device or writing a VxD for a device requiring contiguous physical memory (such as devices using DMA transfers), you need to implement some form of memory management. Additionally, certain memory management implementations in your VxD such as memory mapped devices may require knowledge of the way the 80386 implements memory management using page tables.
All memory in the system is allocated by the memory manager. This includes large allocations for VMs as well as a small heap available to VxDs requiring dynamic memory allocation.
While each VM has its own memory and linear address space, any VM that is presently ecuting is also mapped into the first megabyte of the linear address space. The MMGR rforms this mapping on each task switch by updating the page tables to reflect the new
ping of the lower linear address space. Figure 3.1 shows a possible memory configuration with multiple VMs.
The MMGR can provide per-VM data to a VxD. When a VxD initializes, it can request a number of bytes of control block data. The MMGR returns an offset from the VM handle, which is reserved for your VxD's control block area at the same offset in each VM control block. The following 'C' code sample shows how a VxD control block is allocated and assigned a pointer.
// Allocate part of VM control block for VDD usage if (NULL = (dw Vid C B Off = vmmAllocateDeviceCBArea( sizeof( VDDCB ), 0 ))) { vmmDebugOut( "VDD ERROR: Could not allocate control\ block area:\r\n" ) ; vddFatalMemoryError() ; return ( FALSE ) ; } pSysvMCH=(PvDnCB) (hVM + dwVidCBoff);
VMM allocates a control block containing vital information for each VM and is located at the zero offset from the VM handle. VMM's control block has the following structure: //------------------------------------------------------------- // VM control block structure (VMM) //------------------------------------------------------------- typedef struct tagVMMCB { DWORD CB_VM_Status ; DWORD CB_High_Linear ; DWORD _Client_Pointer ; DWORD CB_VMID ; } VMMCB, *PVMMCB ;
Thus, given a VM handle, a VxD can obtain the VM's ID using the following method:
DWORD dwVMID ; dwVMID = ((PVMMCB) hVM) -> CB_VMMID ;
The low memory (inten-upt vector table, BIOS & DOS data, and so forth) for each VM is located in high linear address space along with the rest of the memory for that VM. It is preferable to access VM memory using the high linear addresses, as these will not change. If a task switch occurs during memory reads or writes to a low linear address, your VxD may access an invalid address.
The MMGR provides an address translation API. While registers are preserved when making a ring transition between V86 mode and flat 32-bit mode, a pointer using a realmode segment and offset is meaningless in protected mode. A number of macros in VMM.INC use MMGR services to convert the parameters in the client VM's registers automatically.
Client_Ptr_Flat is a macro that sets up a call to the Map Flat_service:
Client_Ptr_Flat esi, DS, DX
which expands to:
push eax mov ax, Client DS * l00h + Client DX VMMCal 1 Map_Flat mov es i, eax pop eax
The actual address mapping magic is performed in VMM's Map_Flat service. The following algorithm is used by Map_Flat to map the pointer to a 32-bit flat offset:
mov esi, [ebp. Client_EDX] mov eax, [ebp.Client_DS] if (VM is V86 mode) shl eax, 4 movzx esi, si ; zero high order offset add eax, esi add eax, [ebx.CB_High_Linear] else (VM is prot. mode) if (!32-bit) movzx esi, si eax = _Selector_Map_Flat( hVM, [ebp.Client_DS], 0 ) if (eax != -1) add eax, esi if (eax < 1 MB + 64KB) add eax, [ebx.CB_High_Linear] endif
The translation APIs are often used when accessing memory specified through V86 or PM APls. Dual-mode (combination V86 and PM) APls accessing application-provided buffers can be easily implemented using the Map_Flat service as demonstrated here:
;---------------------------------------------------------------------- ; ; VSIMPLED Get_Info, PMAPI, RMAPI ; ; DESCRIPTION: ; This function is used to get information about the ; VSIMPLED configuration. ; ENTRY : ; Client_ES = selector/segment of VSIMPLEDINFO structure ; Client_BX = offset of VSIMPLEDINFO structure ; ; EXIT : ; IF carry clear ; success ; Client_AX = non-zero ; Client_ES:BX ->filled in VSIMPLEDINFO structure ; ELSE carry set ; Client_AX = 0 ; ; USES : ; Flags, EAX, EBX, ECX, ESI, EDI ; ;---------------------------------------------------------------------- BeginProc VSIMPLED_API_Get_Info Assert_Client_Ptr ebp Trace_Out "VSIMPLED_API_Get_Info: called" Client_Ptr_Flat edi, ES, BX cmp edi, -1 je SHORT GI_Fail lea esi, [gVxDInfo] mov ecx, size VSIMPLEDINFO cld shr ecx, 1 rep movsw adc cl, cl rep movsb mov [ebp.Client AX], 1 ; success clc ret GI_Fail : Debug_Out "VSIMPLED_API_Get_Info: FAILED mov [ebp.Client AX], 0 ; failed stc ret EndProc VSIMPLED_API_Get_Info
Allocation of memory can be accomplished using either the _HeapAllocate or _PageAllocate VMM services. In most cases, using the heap allocation services is sufficient for your VxD and may make implementation easier than using the page allocation services. To allocate memory using the heap services use the following code:
VMMCall _HeapAllocate,or eax, eax jz SHORT Alloc_Failed mov pDataBlock, eax
VMM allocates the memory on a doubleword boundary, but the cbSize parameter does not have to be dword aligned. The VxD is responsible for making sure that it stays within the bounds of the memory block, because VMM does not provide protection against accessing memory beyond the allocated range. The memory allocated by this service is fixed, and frequent allocating and freeing of memory may fragment the heap. Also, the memory block is not page-locked and may not be present when accessed. PageSwap VxD resolves the not- present fault so your VxD can continue with memory accesses.
If you require page-locked memory and are using the heap management services, the service _LinPageLock can be implemented. This avoids the possibility of VMM discarding the physical memory between accesses by a VxD. However, because physical memory is a limited resource, you should only use this service in cases where page-locked memory is vital to your implementation.
_HeapGetSize, _HeapReAllocate, and _HeapFree are used to determine the block size and to, reallocate and free the memory block, respectively. Using _HeapReAllocate may cause the address of the block to change, and VxDs must not rely on the possibility of the address remaining constant. _HeapReAllocate can preserve the contents of the old block by copying the contents to the new block. The following flags are defined for use with this service:
HeapNoCopy Do not copy the contents of the existing block. HeapZeroInit Initialize the new bytes in the heap to zero. HeapZeroReInit Fill all bytes in the block with zero.
MMGR also provides low-level memory management services, allowing a VxD to allocate memory within a physical address range, to perform allocations within physical boundary constraints (not crossing 64k or 128k boundaries), and to allocate memory visible to all VMs or to only a single VM. Additionally, the page-fault handler for the allocated pages can be redirected to a specific handler in your VxD. (See the next section for more information on hooked pages.)
Allocation of pages with physical boundary restrictions and/or physical address limitations can only be performed during initialization. The following example demonstrates allocating a buffer for use with a DMA device:
;----------------------------------------------------------- ; VSIMPLED_Allocate_DMA_Buffer ; ; DESCRIPTION: ; ; This function allocates a buffer suitable for DMA transfers. ; It attempts to allocate enough contiguous pages to hold the , requested size. If the request fails, the size is halved ; until all allocation attempts have failed. ; ; ENTRY :; ; EAX = Desired size (in KB) of the DMA buffer to allocate. ; This size cannot be exceed 64. ; ; EXIT : ; ; IF carry clear ; EAX = memory handle of the memory block allocated ; EBX = _physical address_ of memory block ; ECX = actual size in _bytes_ of memory block allocated ; EDX = _ring 0 linear address_ of memory block ; ELSE carry set ; EAX = EBX = ECX = EDX = 0 ; ; USES : ; ; Flags, EAX, EBX, ECX, EDX ; ;----------------------------------------------------------- BeginProc VSIMPLED_Allocate_DMA_Buffer cmp eax, 64 jle SHORT ADB Start Debug_Out "Requested size #EAX too big!" mov eax, 64 ADB Start: add eax, 3 ; round up to get shr eax, 2 ; # of pages ADB_Allocate_DMA_Buffer_Loop: mov ebx, eax ; EBX = # of pages to allocate ; (examples : 3 7 11 ; 12K 28K 44K dec eax ; # pages - 11Ob 111b 1O11b bsr cx, ax ; max power of 2 1 2 3 inc cl ; shift cnt 2 3 4 mov eax, 1 shl eax, cl ; mask + 1 100b 1000b 10000b dec eax ; mask 11b 111b 1111b ; alignment 16K 32K 64K mov ecx, ebx Trace_Out "pages=#ECX alignment=#EAX" ; ; EAX = alignment mask for allocation ; ECX = number of pages to allocate ; push ecx VMMcall _PageAllocate> pop ecx or eax, eax jnz short ADB_Success Trace_Out "Allocation failed: pages=#ECX" mov eax, ecx shr eax, 1 jnz short ADH_Loop xor ebx, ebx xor ecx, ecx stc ret ADB_Success: shl ecx, 12 ; pages-->bytes ; ; Returns: ; ; EAX = memory handle of the memory block allocated ; EBX = _physical address_ of memory block ; ECX = size in _bytes_ of memory block allocated ; EDX = _ring 0 linear address_ of memory block ; clc ; success ret EndProc VSIMPLED_Allocate_DMA_Buffer
To hook V86 pages, a range of pages is first assigned to the VxD:
// Buffer used for reserving pages DWORD aVMPagesBuf[ 9 ]; vmmGetDeviceV86PagesArray( NULL, &aVMPagesBuf, NULL ) ; if (aVMPagesBuf[ 0x A0/32 ] & 0x FF00FFFF) { vmmDebugOut( "VDD ERROR: Pages already allocated\r\n" ), vmmFatalError(szVDD_Str_CheckVidPgs ) ; return ( FALSE ) ; } if (!vmm Assign Device V B6 Pages( Ox AO, 16, NULL, NULL )) { vmm Debug Out( "VDD ERROR: Could not allocate pages\r\n" ) ; vmm Fatal Error( sz VDD Str Check Vid Pgs ), return ( FALSE ) ; } if (!vmm Assign Device V B6 Pages( Ox BB, 8, NULL, NITLL )) { vnunDebugOut( "VDD ERROR: Could not allocate pages\r\n" ) ; vmm Fatal Error( sz VDD_Str Check Vid Pgs ) ; return ( FALSE ) ; }The V86 pages are then directed to a page fault handler:
// Put an .ASM front end on the page-fault procedure. if (NULL =- (p VDD P Fault = VMMWRAP Thunk V86 P H Proc( VDD_P Fault ))) { vmmDebugOut( "VDD ERROR: Could not thunk VDD_PFault!\r\n" ) ; vmmFatalError( ) ; return( FALSE ), } // Hook graphics pages for (i = 0; i < 16; i++) vmmHookV86Page( OxAO + i, pVDD_PFault ) ; // Hook text pages for (i = 0; i < 8; i++) vmmHookV86Page( OxBB + i, pVDD_PFault ) ;
During the Create_VM message processing, the V86 pages are marked as not available (not present and not writeable), using the _ModifyPageBits service:
vmmModifyPageBits( hVM, OxAO, 16, ~P_AVAIL, NULL, PG_HOOKED, NULL ) ; vmmModifyPageBits( hVM, OxBB, 8, ~P_AVAIL, NULL, PG HOOKED, NULL ) ;
Note that it is necessary to specify the PG_HOOKED in the type parameter of the _ModifyPageBits service when clearing any of the PG_PRES, PG_USER, or PG_WRITE bits.
After the initialization is complete, any read or write access of the hooked pages causes a page fault. The page fault handler is called with the faulting page number and the handle of the VM, causing the fault. It is the responsibility of the page fault handler to map memory into the page to resolve the fault or terminate the virtual machine. To map physical memory into the faulting page, use the following code:
// dwPhysPage is the physical page allocated using // _PageAllocate with PG_HOOKED vmmPhysIntoV86( dwPhysPage, hVM, uFaultPage, nPages, 0 ;
Under some circumstances (such as low memory or other memory mapping error), it may be more desirable to allow the VM to continue without crashing the VM. In these cases, the system null page is assigned to this linear page:
vmmMapIntoV86( VMM_GetNulPageHandle(), hVM, uFaultPage, 1, 0, 0 ) ;
The system null page is guaranteed to contammin invalid informationmm for any given VM. Do not rely on its contents for further processing in your VxD.
The VDD uses these techniques to allow multiple VMs to access the video display hardware and maintainmm separate virtual displays for virtual machines. It is also possible to simulate ROM in a virtual machine using hooked pages. When the page fault occurs, map the pages using _PhysIntoV86 and clear the P_WRITE bit using _ModifyPageBits. Note, however, that when the VM restarts, the instruction causing the fault also restarts. If the VM was performing a write operation, a page fault would occur immediately. To resolve this loop, you would need to modify the VM client registers to point the IP to the instruction following the faulting instruction.
A VM can determine whether pages in the linear address space have been accessed and whether data has been written on these pages by examining the page table entries (PTEs) using VMM's _CopyPageTable service. The VDD uses this technique to determine which pages have been accessed and need to be updated in the virtual display of a windowed MS- DOS box.
A linear address in a paging operating system such as VMM is decoded shown in Figure 3.2. Each PTE is 4 bytes in length and contains the access bits and physical address of the page. To examine the PTEs of the first megabyte of the active virtual machine, use page numbers in the range 0 to l OFh. Page numbers of other virtual machines are computed using the CB_High_Linear field in the control block of the respective VM.
Given a pointer to a memory block in a VM, a VxD can use the Map_Flat service to translate this address to a flat offset. Shifting this address right by 12 gives you the page number. To determine if pages in a hooked V86 range have been accessed or if data has been written to these pages use the following code:
VMMCall _CopyPageTable,, 0> mov ecx, gu Num Hooked Pages Check_Accessed_Or_Dirty: test dword ptr aPageBuf[ ecx ], P_ACC or P_DIRTY jz SHORT Next_Page Trace_Out "Page #ECX of hooked range is dirty or has been\ accessed" Next_Page: loop Check_Accessed_Or_Dirty
A VxD can allocate selectors in the GDT or in a VM's LDT using the _Allocate GDT_Selector and _Allocate_LDT_Selector services. Two descriptor double-words are required when allocating selectors. VMM provides the _BuildDescriptorDWORDs service to generate these double-words:
VMMCall _BuildDescriptorDWORDs,< dwLinAddr,cbSize,\ RW_Data_Type, 0, 0> VMMCall AllocateGDTSelector,The following equates are useful when building descriptor double-words:
; Common definitions for segment and control descriptors D_PRES segment is present in memory D_NOTPRES segment not present D_DPL0 descriptor privilege level definitions D_DPL1 D_DPL2 D_DPL3 D_SEG segment descriptor (application type) D_CTRL control descriptor (system type) D_GRAN_BYTE limit in byte granularity D_GRAN_PAGE limit in page granularity D_DEF16 default operation size is 16 bits (code) D_DEF32 default operation size is 32 bits (code) ; Definitions specific to segment descriptors D_CODE code segment D_DATA data segment D_RX if code, readable D_X if code, executable only D_W if data, writeable D_R if data, read only D_ACCESSED segment accessed bit ; Useful segment definitions RW_Data_Type present R/W data segment R_Data_Type read-only data segment Code_Type code segment
The MMGR manages instance data for VMs. Instance data is a range in V86 address space that VMM maintains separately for each VM. It is used frequently for MS-DOS and some TSRs.
For example, if an MS-DOS device driver maintains an input buffer, it may be useful to have the buffered input directed to the VM that was active when the buffer was filled. In this case, the VxD would query the device driver for the buffer address and maximum size and add an instance data area as shown here:
// Define instance data for instance data manager INSTDATASTRUC Instance_Area = { NULL, NULL, NULL, NULL, ALWAYS_Field } ; // Specify instanced area as provided by DOS driver. Instance_Area.dwInstLinAddr=pInputBuffer; Instance_Area.dwInstSize=dwBufferSize; if(!VMM_AddInstanceItem(&Instance_Area,0)) goto DI_FatalError ;
When writing VxDs for use with "Windows-aware" TSRs, it may be necessary to allocate a block of memory that is global to all VMs, that is, a memory block with a V86 address mapped to the same physical memory in all VMs. The _Allocate_Global_V86_Data_Area service performs this type of allocation as shown here:
// Allocate a global V86 data area of 512 bytes if (NULL == (gdwGlobalArea = vmmAllocateGlobalV86DataArea( 512, GVDADWordAlign ) ) ) { vmmDebugOut( "Failed to allocate global V86 data area!\r\n" ) ; return ( FALSE ) ; } vmmTraceOutParam( "Allocated global area at #EAX\r\n", gdwGlobalArea ) ;The _Allocate_Global_V86_Data_Area service accepts the following flags:
GVDADWordAlign Aligns the block on a doubleword boundary. GVDAHighSysCritOK Informs the services that the VxD can handle a block that is allocated from high MS-DOS memory, such as UMBs or XMS. (Win 3.1 only) GVDAInquire Returns the size in bytes of the largest block that can be allocated, given the requested alignment restrictions. (Win 3.1 only) GVDAInstance Creates an instance data block, allowing the VxD to maintain separate blocks for each VM. GVDAPageAlign Aligns the block on a page boundary. GVDAParaAlign Aligns the block on a paragraph boundary. GVDAReclaim Unmaps the physical pages in the block when mapping the system null page into the block. The physical pages are added to the free list when this value is specified. Only applies to blocks allocated on a page boundary. If this flag is not specified, it is up to the virtual device to reclaim these pages. GVDAWordAlign Aligns the block on a word boundary. GVDAZeroInit Fills the allocated block with zeros.In the VMEMTRAP sample, an unassigned V86 area is located and assigned to the virtual device. Pages are allocated for each new VM and "instanced" pages are simulated, using hooked V86 pages and a page-fault handler. Using the _AllocateGlobalV86DataArea service specifying the GDVAInst accomplishes the same thing in a single service call, with the exception that a specific V86 range cannot be specified.
_AllocateGlobalv86DataArea has limitations. For example, you cannot hook the page fault handler or modify the page bits of the V86 linear range returned by this service. Windows 3.x does not provide an interface to allow VxDs to monitor access of these pages other than viewing the page table entry access bits. A virtual device must provide an additional interface to manage VM contention of these pages using software inten-upts or the VxD's API.
An unsupported method of providing page protection is to modify the page table entries (PTEs) directly and hook the Invalid_Page_Fault handler. The PTE contains the page frame address in the upper 20 bits (4k page aligned), and the lower 12 bits provide access restriction and accessed and/or dirty information.
Entry 0 in the page directory contains the physical address of the page table for the V86 address space of the active VM. By modifying these page table entries, you can modify the access rights to a given page in V86 address space.
You must use caution when accessing the page tables directly. Modifying not-present page tables or incorrectly modifying page access bits will cause the system to crash. In other words, "Ok, here's your weapon, first point it at your foot before pulling the trigger!"
Page protection is risky business when it is not directly supported by the host operating system, but some implementations require such information about how a VM is behaving. Take note ! ! You can guarantee that anything that you do now to provide this mechanism may not be supported in future releases of Windows. Use this information at your own risk and version bind your code to the Microsoft Windows 3.1 VMM.
The VGLOBALD sample demonstrates the allocation of a global V86 data area that would be suitable for a TSR and VxD to use for communication in multiple VMs. If you run this sample under the debugging version of WIN386.EXE you should notice that, when new VMs are created and the System VM does not have access to the pages that are hooked using this page protection scheme, VMM will "gripe" about the not-present page within the V86 page range. You may decide to modify the page table entries to match WIN386 expectations before creating a new VM.
V86MMGR provides an interface for VxDs to map protected- mode data buffers to V86- interfaces. When a virtual device translates an API which transfers data using pointers to data blocks from protected mode applications to DOS-mode device drivers, it needs to implement services provided by V86MMGR to translate these buffers to a V86 addressable memory. Also, DOS device drivers that update buffers asynchronously require memory to be mapped into global V86 address space.
For example, Int 21h eommonly uses buffers referenced by DS:DX. The DOSMGR virtual device provides automatic buffer translation for most of these APIs by hooking Int 21 h and translating the protected mode addresses so that DOS can understand the request without additional work required by the protected-mode application. Additionally, VNETBIOS provides buffer mapping for NetBIOS data packets using V86MMGR services. These buffers are updated as the result of interrupt processing.
V86MMGR provides two types of services: buffer mapping and buffer translation. The mapping services update the page tables in all VMs so that the buffer is in global V86 space. The translation services copy a buffer to a V86 copy buffer and use the copy buffers address to communicate with the DOS device driver code. The mapping services should be used only when the buffers will be updated asynchronously. Do not use the mapping services in place of the translation services to avoid copying the buffer s data - it is faster to copy data to and from a translation buffer than to map a buffer into multiple virtual machines.
V86MMGR does not directly support the mapping or translation of buffers referenced by pointers within a structure. The VxD is responsible for translating or mapping the buffer using V86MMGR services; it updates the structure to contain a valid V86 pointer and then passes the call to the DOS device driver.
When a VxD requires V86MMGR services, it must inform V86MMGR how many pages are required by using the V86MMGR_Set_Mapping_Info service. This service call must be made during initialization, preferably during Sys_Critical_Init processing. Alternatively, the VxD can call this service during Device_Init, if the VxD has an Init_Order less than V86MMGR_Init_Order.
When a call to the DOS device has been intercepted by the VxD, the VxD should determine whether the call is from V86 mode or protected mode. When a V86 call is trapped, buffer translation is not necessary, but mapping for asynchronously updated buffers may be necessary if the buffer is not located in global V86 address space determined by using the _TestGlobalv86Mem service.
To map pages to DOS addressable memory, a VxD calls V86MMGR_Map_Pages with the linear address and number of bytes to map. The returned linear address is guaranteed to be in the first megabyte and in global V86 address space. A map handle is also returned by this service. When the mapping region is no longer required, it is freed using the V86MMGR_Free_Page_Map_Region service with the map handle that was returned by V86MMGR_Map_Pages.
To translate a protected-mode buffer to V86 addressable memory, a VxD calls V86MMG_Allocate_Buffer with the linear address of the buffer to translate and the number of bytes to allocate. If specified, this service copies data to the new buffer. Translation buffers are allocated in a "stack" fashion. In other words, the last buffer allocated must be the first buffer freed. When the translation buffer is no longer required, the V86_Free_Buffer service is used.
The following code fragment demonstrates how a software interrupt buffer is translated from a protected-mode to a real-mode driver:
; ; On entry Client_DS:Client_DX points to a buffer that is ; filled asynchronously and needs to be napped globally. ; Eat the PM interrupt and reflect it to V86 mode. ; ; When the DOS device driver has completed the data ; transfer, the pages must be unmapped using the ; V86MMGR_Free_Page_Map_Region service. ; BeginProc PM_Translate pushad test [ebx.CB_VM_Status], VMStat_PM_Exec jz SHORT PT_Bail VMMCall Simulate_Iret Map_Flat esi, DS, DX movzx ecx, [ebp.Client-CX] VxDCall V86MMGR_Map_Pages mov hPageMap, esi shl edi, 12 shr di, 12 ; ; Simulate the interrupt to V86 ; Push_Client_State Begin_Nest_V86_Exec mov [ebp.Client_DX], di shr edi, 16 mov [ebp.Client_DS], di mov eax, Trapped_INT VMMCall Exec_Int VNNCakk End_Nest_Exec Pop_Client_State clc PT_Bail: Debug_Out "Failure: Call not from protected mode!" stc PT_Exit: popad ret EndProc PM Translate
V86MMGR provides a number of macros to define a script for use with the V86MMG_Xlat_API service. A VxD defines a translation script in its data segment using these translation macros and calls the VB6MMGR service to execute the script. This provides the VxD with a way to reduce the code size of V86 translation services and to use the optimized routines in VB6MMGR.
The translation scripts are terminated by Xlat_API_Exec_Int or Xlat_API_Jmp_To_Proc. When the V86MMGR_Xlat_API service executes one of these commands, control returns to the VxD after the command has been executed. The following sample code demonstrates the use of these macros to translate a null-terminated string for a call to a DOS device driver:
; ; This code demonstrates a simple translation of a NULL ; terminated string in DS:SI to a local V86 buffer. ; VxD_DATA_SEG Xlat_ASCIIZ_Script: Xlat_API_ASCIIZ ds, si Xlat_API_Exec_Int 60h Vx_D_DATA_ENDS Vx_D_CODE_SEG BeginProc Translate_Int60h_Buffer mov edx, OFFSET32 Xlat_ASCIIZ_Script VxDJmp VB6MMGR_Xlat_API EndProc Translate_Int60h_Buffer VxD_CODE_ENDS
A VxD can export an API to protected-mode and V86 mode applications, extending the capabilities of a Windows or MS- DOS driver using supervisor code. For example, the VCD provides an interface to the Windows communications driver (COMM.DRV) to acquire a COM port. The COMM driver queries the VCD for the availability of a given port. If the port is in use by an MS-DOS application, the VCD returns failure. This API allows the COMM.DRV to provide intelligent information regarding the availability of COM ports to the calling application and provides a mechanism to manage device contention.
A VxD declares the API support by defining API procedure entry points in the DDB (see Chapter 1). In the following example, VSIMPLED_V86_API_Proc and VSIMPLED_PM_API_Proc procedures are the entry points for the API from V86 mode and protected mode, respectively. Additionally, the VxD must declare the device ID, as supplied by Microsoft. Declare_Virtual_Device VSIMPLED, VSIMPLED_MAJOR_VER,\ VSIMPLED, MINOR_VER,\ VSIMPLED_Control_Proc,\ VSIMPLED_Device_ID,\ Undefined_Init_Order,\ VSIMPLED_V86_API_8roc,\ VSIMPLED_PM_API_Proc
An application acquires the entry point of the VxD by using Int 2Fh with AX=1684h and BX=VxD Device ID: ; ; Obtain the VxD entry point, if NULL, VxD is not present. ; mov ax, 1684h ; get VxD API entry point mov bx, VSIMPLED_Device_ID int 2fh mov word ptr dwVxDEntry, di mov word ptr dwVxDEntry + 2, es
When this entry point is called by the application, the call is dispatched to the VxD, where it processes the request and returns control to the calling application.
Prior to requesting the VxD entry point from VMM, the application should first determine whether Windows/386 (VMM) is present. A Windows application can use the GetWinFlags() API. A DOS application needs to use Int 2Fh, AX=1600h interface to determine whether VMM is present:
mov ax, 1600h ; Enhanced Windows Check int 2fh test al, 7fh ; VMM (Win386) present? jz Not_Win386
If calling ring-0 VxD code directly from ring 3 seems too good to be true, you should be interested in how this call is dispatched to the VxD. When the Int 2Fh request is processed, the VMM allocates a callback address in the VM's address space. When the VM calls this address, the code generates a fault, a ring transition results, and the fault is dispatched to VMM's fault handler.
VMM determines the operation mode of the VM by testing the status flags in the VM control block. It determines whether the call was made from V86 or protected mode and then dispatches the call at ring 0 to the appropriate handler, as declared in the DDB.
When the API entry points are called, the EBP register points to the Client_Register_Structure (CRS):
typedef struct tag CRS_32 { DWORD Client_EDI ; DWORD Client_ESI ; DWORD Client_EBP ; DWORD dwReserved_1 ; // ESP at pushall DWORD Client_EBX ; DWORD Client_EDX ; DWORD Client_ECX ; DWORD Client_EAX ; DWORD Client_Error ; // DWORD error code DWORD Client_EIP ; WORD Client_CS ; WORD wReserved_2 ; // (padding) DWORD Client_EFlags ; DWORD Client_ESP ; WORD Client_SS ; WORD wReserved_3 ; // (padding) WORD Client_ES ; WORD WReserved_4 ; // (padding) WORD Client_DS ; WORD wReserved_5 ; // (padding) WORD Client_FS ; WORD wReserved_6 ; // (padding) WORD Client_GS ; WORD wReserved_7 ; // (padding) DWORD Client_Alt_EIP ; WORD Client_Alt_CS ; WORD wReserved_8 ; // (padding) DWORD Client_Alt_EFlags ; DWORD Client_Alt_ESP ; WORD Client_Alt 85 ; WORD wReserved_9 ; // (padding) WORD Client_Alt ES ; WORD wReserved_10 ; // (padding) WORD Client_Alt_DS ; WORD wReserved_11 ; // (padding) WORD Client_Alt_FS ; WORD wReserved_12 ; // (padding) WORD Client_Alt_GS ; WORD wReserved_13 ; // (padding) } CRS 32, *PCRS 32 ;
The parameters to the API call, as set by the calling application, are contained in the CRS, and the current VM handle is in EBX.
A VxD usually defines a jump table to the specific API functions that perform the nequested action and return the results to the API handler that reflects the results in the CRS. The following example code demonstrates how functions are dispatched from a VxD API procedure entry point:
;*************************************************************** ; D E V I C E D A T A ;*************************************************************** VxD_DATA_SEG DOBXFER_PM_Call_Table LABEL DWORD dd OFFSET32 DOSXFER_Get_Version dd OFFSET32 DOSXFE_PM_Enable_Call_Backs dd OFFSET32 DOSXFE_PM_Copy_Data Max_DOSXFER_PM_Service equ ($ - DOSXFER PM Call Table) / 4 VxD_DATA_ENDS .*************************************************************** ; E X P O R T E D A P I .*************************************************************** BeginProc DOSXFER_PM_API_Proc, PUBLIC Trace_Out "In DOSXFER_PM_API_Proc" VMMCall Test_Sys_VM_Handle IFDEF DEBUG jz SHORT @f Debug_Out "DOSXFER_PM_API_Proc not from SYS VM" @@: ENDIF jnz SHORT DOSXFER_PM_Call_Bad movzx eax, [ebp.Client DX] ; function in DX cmp eax, Max_DOSXFER_PM_Service jae SHORT DOSXFER_PM_Call_Bad and [ebp.Client EFLAGS], NOT CF_Mask ; clear carry call DOSXFER_PM_Call_Table[ eax * 4 ] ; call service jc SHORT DOSXFER_PM_API_Failed ret DOSXFER_PM_Call_Bad: IFDEF DEBUG Debug_Out "Invalid function #EAX on DOSXFER_PM_API_Proc" ENDIF DOSXFER_PM_API_Failed: or [ebp.Client EFLAGS], CF_Mask ; set carry ret EndProc DOSXFER_PM_API_Proc
Modification of the client registers is made easy using these structure definitions:
; Copy the data structure to the VM and return the results ; of the function. ; EBX = VM handle, EBP = -> CRS ; Map_Flat edi, ES, DI lea esi, gDataStruc mov ecx, size DATASTRUCT shr ecx, 1 rep movsw adc cl, cl rep movsb mov [ebp.Client_CX], size DATASTRUCT mov [ebp.Client_AX], 1 ; SUCCESS! and [ebp.Client E_Flags], NOT( CF_Mask ) ; clc
A VxD may also update a buffer referenced in the CRS by obtaining a flat address using the mapping services discussed in Chapter 3.
; ; Determine the execution mode of the VM. ; test [ebx.CB_VM_Status), VMStat_PM_Exec jz SHORT API_VM_In_V86 test [ebx.CB_VM_Status], VMStat_PM_Use32 jz SHORT API_VM_In_PM16 API_VM_InPM32 : Debug_Out "VM calling from 32-bit protect mode." ret API_VM_InV86 : Debug_Out "VM calling from V86 mode." ret API_VM_In_PM16: Debug_Out "VM calling frm 16-bit protected mode." ret
Note: In Windows 3.x, calling VxD procedures through VxD API calls from 32-bit code segments in the System VM can cause unexpected results when the offset of the return address of the calling routine is greater than OxFFFF. This is a problem with the way that VMM determines the "32- bitness" of the calling application. The System VM is flagged for 16-bit protected mode operation, because Krnl386.EXE is responsible for the switch to protected mode when the Windows GUI is started. Whether 32- bit segments are allocated within the System VM and code within these segments calls VxD APIs, VMM determines that the calling application is 16-bit because of the VM flags. The return address is assumed to be 16 bits and is truncated. This is also a problem for protected-mode software interrupts hooked by a VxD. The only current work- around is to guarantee that the code calling the VxD has a return address with an offset less than OxFFFF.
Callbacks can be used to simulate DOS devices that return a pointer to a jump table by allocating a global V86 table and stuffing the address of the callback allocated using Allocate_V86_Call_Back service into this table. A segment and offset are returned that directs any calls to this routine to the VxDs callback procedure. The CRS reflects the current state of the VM when the callback entry point was called by the VM. A VxD can also provide a "chaining" interface to hooked software interrupts by using these services.
A VxD with "carnal" knowledge of a DOS device driver can intercept calls to this device by using the Install_V86_Break_Point service. This service patches the memory at the requested address with a call to the break point. When the break point is executed, the VxD can process the VM request as necessary and then return control by "bumping" the IP to the next instruction or by using Simulate_Far_Jmp to move the Client CS: Client IP to the correct address.
The nested execution services of VMM provide a controlled environment in which a VxD can cause a redirection of the execution path in a VM. A VxD saves the client registers, begins a nested execution block forcing a VM into V86 or protected mode, calls the necessary services to set up stack frames, and then resumes the VM execution. When the VM returns, the nested execution block is ended and the client registers are restored. Using this technique, a VxD can force the execution of code in TSRs, DOS applications, and even Windows procedures.
When calling routines in a VM other than the current VM, you may need to schedule a VM event to force a specific VM to become aetive. You may also need to determine the execution status of the VM and wait for critical sections to be completed, interrupts to be enabled, and so on. In these cases, you can use the Call_Priority_VM_Event service and begin the nested execution when the event is processed.
As demonstrated in Chapter 3, a VxD can simulate software interrupts to a VM using the Simulate_Int or Exec_Int services. Simulated interrupts are subject to being trapped by other VxDs and will respond exactly as if a VM executed the software interrupt in application code. Additionally, a VxD that has hooked a protected-mode interrupt can affect the callers stack to "eat the interrupt" in protected mode by using a non-nested Simulate_Far_Iret and then reflect it to V86 mode by using nested execution services.
Note that when a VxD simulates calls to a VM and the execution has returned to the VxD, the VxD must copy the results from the CRS before restoring the client's state:
; ; Simulate a software interrupt to the current VM ; Push_Client_State VMMCall Begin_Nest_V86_Exec mov [ebp.Client_AX], 4257h ; specific function mov [ebp.Client_BX], 4C57h ; subfunction mov eax, 60h VMMCall Simulate_Int VMMCall Resume_Exec VMMCall End_Nest_Exec movzx eax, [ebp.Client AX] ; get return value Pop_Client_State
What magic occurs in this code that allows a VxD to simulate an interrupt call in a VM? The Push_Client_State macro allocates space on the stack and copies the current CRS to this block. Begin_Nest_V86_Exec modifies the VM state so that the execution block occurs in V86 mode. Simulate_Int builds an IRET frame and modifies the client's stack and CS:(E)IP to call the interrupt handler. Resume_Exec forces VMM to complete event processing and then resumes the execution of the VM. When the VM completes the execution block, control returns to the VxD and the End_Nest_Exec restores the VM's execution state. The Pop_Client_State macro restores the client's registers, as saved on the stack.
The techniques used to simulate software inten-upts to a VM can be extended to call functions in the System VM. There are a few restrictions when calling Windows functions or functions provided by Windows DLLs:
To call Windows functions, you must use a helper application or DLL to provide the procedure address to the VxD. The VxD can then use the nested execution services to simulate a far call to the procedure in the System VM. If a VM context switch is required (if the current VM is other than the System VM), the VxD must schedule a VM event to call the procedure. The following code sample calls the Windows PostMessage() function from a VxD assuming the PostMessage function pointer was obtained from the application or DLL):
;================================================================= ; ; VSIMPLED Notify App ; ; This routine notifies the Windows application through a ; call to the Post Message() API. ; ; ENTRY : ; EDX: contains the 1Param of the message ; ; USES : ; FLAGS ; ;================================================================= BeginProc VSIMPLED_NotifyApp, High_Freq VMMCall Test_Sys_VM_Handle je SHORT VSIMPLED Post Event NA_Schedule: push ebx mov eax, High_Pri_Device_Boost VMMCall Get_Sys_VM_Handle mov ecx, PEF_Wait_For_STI OR PEF_Wait_Not_Crit mov esi, OFFSET32 VSIMPLED_PostEvent xor edi, edi VMMCall Call_Priority_VM_Event pop ebx ret EndProc VSIMPLED_Notify_App ;================================================================= ; VSIMPLED_PostEvent ; ; Called by the priority VM event dispatch routine or ; directly if System VM was already active. ; ; ENTRY : ; EBX: The system VM handle ; EBP: Client register structure ; EDX: Reference data ; ; USES : ; EAX, EDX, FLAGS ;================================================================= BeginProc VSIMPLED_PostEvent Trace_Out "In VSIMPLED_PostEvent" cmp lpPostMessage, 0 ; Q: ptr == NULL? je SHORT PE_Exit ; Y: can't call Push_Client_State VMMCall Begin_Nest_Exec mov ax, NotifyWnd ; handle to window VMMCall Simulate_Push mov ax, Notify Msg ; notification msg VMMCall Simulate_Push xor ax, ax VMMCall Simulate_Push ; wParam is NULL mov eax, edx shr eax, 16 VMMCall Simulate_Push ; lParam is ref data mov eax, edx VMMCall Simulate_Push movzx edx, WORD PTR [lpPostMessage] mov cx, WORD PTR [lpPostMessage + 2] VMMCall Simulate_Far_Call ; call PostMessage() VMMCall Resume_Exec VMMCall End_Nest_Exec Pop_Client_State PE_Exit : ret EndProc VSIMPLED_PostEvent
In Windows 3.1, the VPICD added services that allow a Windows driver to provide interrupt service routines callable at ring 0. This means a Windows device driver to provide a common code base for hardware interrupt servicing. This technique can be implemented by other VxDs to call routines in a VM directly from ring 0, as shown in Figure 5.1.
The technique to call TSR code from ring 0 is actually quite simple. A VxD provides an API that allows a V86 or PM application to register a procedure as a "direct" callback procedure. Ring 0 16-bit GDT selectors are built to access code and data of the callback procedure. When the required event occurs, the VxD calls the callback procedure by setting up a far return frame, including a 32-flat far return address to a return-to-flat procedure and a 16:16 far return address to a return-from-16 procedure in the VxD. The VxD then performs a far return kicking out to the 16-bit code in the TSR. When the TSR has completed processing, the far return kicks back to the return-from-16 procedure in the VxD. The last remaining issue is to return to 32-flat model by using a final far return to the return-to-flat procedure.
This method makes some assumptions of the way TSRs are loaded in the system:
global in all VMs, this mapping must remain constant in all page tables.
The following code fragments demonstrate the technique of calling TSR code (16-bit code) at ring 0. In Sys Critical Init, the GDT selectors used for the call to the TSR are allocated. For this sample, a global timeout is used to initiate the calls to the TSR.
;--------------------------------------------------------------- ; VCALLTSR_Sys_Critical_Init ; ; DESCRIPTION: ; Allocates necessary GDT selectors. ; ; ENTRY : ; EBX = handle to Sys VM ; EDX = reference data from real-mode init ; ; EXIT: ; Carry clear if no error, otherwise set if failure. ; ; USES : ; Flags ;--------------------------------------------------------------- BeginProc VCALLTSR_Sys_Critical_Init Trace_Out "VCALLTSR: Sys_Critical_Init" pushad ; ; Note : ; ; An assumption is made that CS:0 is the base of the TSR. ; Since we don't have a segment size, we'll assume 1 page, ; but this could be handled by using a pointer to a structure ; within the TSR obtained from Exec Int instead of using ; Real Mode_Init to gather the information. ; mov eax, edx movzx edx, ax mov dwTSR_RingO_EIP, edx shr eax, 16 shl eax, 4 push eax ; save address VMMCall _BuildDescriptorDWORDS, < eax,,\ Code Type,\
,\ BDDExplicitDPL > VMMCall _Allocate_GDT_Selector, < edx, eax, 0 > or eax, eax jnz SHORT SCI_GotCSSel pop eax jmp SHORT SCI_Failure SCI_GotCSSel: mov dwTS_RingOCS, eax pop eax ; restore address VMMCall _BuildDescriptorDWORDS, < eax, ,\ RW_Data Type, \
,\ BDDExplicitDPL > VMMCall _Allocate_GDT_Selector, < edx, eax, 0 > or eax, eax jz SHORT SCI_Failure mov dwTSR_Ring0_DS, eax VMMCall _BuildDescriptorDWORDS, < ,\ VCT_Switch_Size,\ Code_Type,\ ,\ BDDExplicitDPL > VMMCall _Allocate_GDT_Selector, < edx, eax, 0 > or eax, eax jz SHORT SCI_Failure mov wTSR_Switch_To_Flat_CS, ax mov eax, 500 ; 500 ms timeout xor edx, edx ; no data mov esi, OFFSET32 VCALLTSR_Time_Out VMMCall Set_Global_Time_Out mov hTimeOut, esi popad clc ret SCI Failure : ; ; Free any allocated selectors and exit ; mov eax, dwTSR_Ring0_CS or eax, eax jz SHORT SCI_Failure_TryDS VMMCall _Free_GDT_Selector, SCI_Failure_TryDS: mov eax, dwTS_Ring0_DS or eax, eax jz SHORT SCI_Failure_TryFlat VMMCall _Free_GDT_Selector, SCI_Failure_TryFlat: movzx eax, wTSR_Switch_To_Flat_CS or eax, eax jz SHORT SCI_Failure_Exit VMMCall _Free_GDT_Selector, SCI_Failure_Exit: popad stc ret EndProc VCALLTSR_Sys_Critical_Init
When the timeout procedure is called, the stack frames are created to call the TSR code directly. When the TSR returns the VxD unwraps the stack to get back to 32-bit flat model:
;--------------------------------------------------------------- ; VCALLTSR_TimeOut ; ; DESCRIPTION: ; Event handler for global timeout. Calls TSR code directly ; from ring 0. ; ; ENTRY : ; EBX = Current VM handle ; ECX = additional ms since timeout ; EDX = reference data ; EBP = -> CRS ; ; EXIT : ; Reachedules time-out. ; ; USES : ; All registers. ;--------------------------------------------------------------- BeginProc VCALLTSR_TimeOut pushad mov hTime Out, 0 ; clear handle Trace_Out "Setting up stack frames to call TSR." ; ; This stack frame is so we can get back to flat model. ; push cs ; save CS mov eax, OFFSET32 VCALLTSR_Back_To_Flat push eax ; save EIP ; ; This stack frame will get us back to 32-bit code in ; the VxD and is addressable via 16:16 for the TSR. ; push ds ; save off DS push dwTSR_RETF_From_16 ; ; This is the stack frame used to get us to the TSR ; code. Additionally, DS is setup with a R/W*I pointer ; to the same base address. ; mov eax, dwTSR_Ring0_DS mov ds, ax push cs:dwTS_Ring0_CS push cs:dwTSR_Ring0_EIP retf ; go to the TSR VCT_Switch: pop ds ; restore DS retf ; return to flat VCT_Switch_Size equ ($ - VCALLTSR_Switch_To_Flat) - 1 VCALLTSR_Back_To_Flat: Trace_Out "Back in flat model. Return from TSR = #AX" ; ; Reschedule time out event ; mov eax, 500 ; 500 ms timeout xor edx, edx ; no data mov esi, OFFSET32 VCALLTSR_TimeOut VMMCall Set_Global_Time_Out mov hTimeOut, esi popad ret EndProc VCALLTSR_TimeOut
I/O protection is a powerful feature provided by the 80386/80486 chipset. When the Current Privilege Level (CPL) is less than or equal to the I/O privilege level (IOPL), the following instructions can be executed:
IN input INS input string OUT output OUTS output string CLI clear interrupt-enable flag STI set interrupt-enable flag
If CPL is less than or equal to IOPL in protected mode, the processor allows the I/O operation to proceed. If CPL is greater than IOPL or if the processor is operating in virtual 8086 mode, the I/O permissions bitmap (IOPM) is used to determine whether access to the port is allowed. Because MS-DOS VMs run in virtual 8086 mode and a Windows application has a CPL of 3 (for Windows 3.1 ) and IOPL is 0, the I/O permissions bitmap is always used in these cases to determine whether access to the port is valid.
VMM keeps a copy of the IOPM for each VM (it is associated with the TSS and other task information). VxDs can enable or disable access to ports by modifying the IOPM using VMM services. Also, it is possible to trap ports in one VM and allow access to the hardware directly in another VM.
The Install_IO_Handler and Install_Mult_IO Handlers services install handlers that are called when the GP fault handler has determined that I/O to the associated port has caused the fault. VMM provides the Enable_Local_Trapping, Enable_Global_Trapping, Disable_Local_Trapping, and Disable_Global_Trapping services to modify the IOPM of virtual machines to enable and disable access to the I/O ports.
I/O trapping is the primary method used to manage device contention. By allowing only one VM access to a hardware device address space, the VxD can manage accesses by other VMs. For cases of contention, a VxD can simulate the device I/O and submit the actual hardware request when the hardware is free, ignore the hardware access, and return as though the hardware did not exist or crash the VM attempting to access the hardware.
A VxD can simulate hardware that does not exist by virtualizing the device using a finite state machine (or other similar method) and returning the appropriate information to the requesting application.
To trap I/O addresses, a VxD uses the Install_IO_Handler or Install_Mult_IO_Handlers services of VMM. These services are only available during device initialization.
These services associate a callback (or table of callbacks) with an I/O port (or table of I/O ports). By default, global trapping is enabled, any access to the trapped ports causes a fault, and the associated callback procedure is called.
An I/O table has the following format: VxD_IDATA_SEG Begin_VxD_IO_Table VTRAPIOD_Port_Table VxD_IO TRAPIO_IDX, VTRAPIOD_IO_Index_Reg VxD_IO TRAPIO_DATA, VTRAPIOD_IO_Data_Reg End_VxD_IO_Table VTRAPIOD_Port_Table VTRAPIOD_Port_Table_Entries equ (($-VTRAPIOD_Port Table)-\ (SIZE VxD_IOT_Hdr)) / (SIZE VxD_IO_Struc) VxD_IDATA_ENDS
This table uses offsets from the base I/O address as the port address. When the base address of the hardware has been determined, the VxD can update the I/O table and install the handlers:
;--------------------------------------------------------------- ; VTRAPIOD Device Init ; ; DESCRIPTION: ; Non critical system initialization procedure. ; ENTRY : ; EBX = Sys VM handle ; ; EXIT : ; CLC if everything's A-OK, otherwise STC ; USES : ; Flags. ;--------------------------------------------------------------- BeginProc VTRAPIOD_Device_Init Trace_Out "VTRAPIOD: Device_Init" pushad ; ; Build an I/O port table for Install Mult_IO Handlers ; using the base address. ; mov ecx, VTRAPIOD_Port_Table_Entries mov esi, OFFSET32_VTRAPIOD_Port_Table mov edx, VTRAPIOD_Base_IO DI_Install_IO_Handlers: mov edi, esi ; save a copy in EDI add esi, (size VxD_IOT_Hdr) DI_Bump_IO_Loop: add [esi.VxD_IO_Port], dx ; add port base to offset add esi, (size VxD_IO_Struc) loop DI_Bump_IO_Loop ; ; Tell VMM to trap ports. ; VMMcall Install_Mult_IO_Handlers ifdef DEBUG jnc SHORT DI_Exit Debug_Out "VTRAPIOD: cannot trap ports!!" endif DI_exit : popad ret EndProc VTRAPIOD_Device_Init
When an I/O port within the given range has been accessed,
the fault handler dispatches to the associated I/O handler.
For this example, the index register simply stores the index
if valid (on write) or returns the current index (on read):
;---------------------------------------------------------------------
; VTRAPIOD_IO_Index_Reg
;
; DESCRIPTION:
; Handles IO trapping.
;
; This is a virtual R/W index register.
;
; ENTRY :
; EBX = VM Handle.
; ECX = Type of I/O
; EDX = Port number
; EBP = Pointer to client register structure
;
; EXIT :
; EAX = data input or output depending on type of I/O
;
; USES :
; FLAGS
;---------------------------------------------------------------------
BeginProc VTRAPIOD_IO_Index_Reg, High_Freq
Dispatch_Byte_IO Fall_Through, The one drawback with this simple I/O trapping interface is
that there is a single global virtual device. Multiple VMs
can simultaneously (well, almost simultaneously) access this
device and may inadvertently affect the processing of
another VM by switching the index register while a different
VM is updating an indexed data register. This is commonly
referred to as device contention, and this VxD must be
improved to properly handle contention between VMMs. The
next below discusses this topic in greater detail.
When multiple virtual machines attempt to access the same
hardware interface and device contention is not handled by a
VxD, the VMs probably interact with the hardware in such a
way that all the hardware sees is gibberish.
To avoid these problems, a VxD implements one of the
following methods of device contention: The most commonly used method is to allow only one VM to
access the hardware at a time. Other VMs cannot access the
hardware until it has been released by the owner.
To
implement this form of device contention, all I/O ports for
the hardware device are trapped. When a VM accesses a
trapped port, the handler routine checks to see whether the
device has been assigned to a VM. If a contention is
detected, the VxD may display a warning message using the
Shell VxD's API and then return with carry set for all reads
and writes to the hardware. If there is no current owner,
the VxD assigns the device to the VM and disables the I/O
trapping for the VM using the Disable_Local_Trapping
service. When the VM terminates or when the hardware is
explicitly released by the VM, the VxD re-enables the
trapping for the VM, using the Enable_Local_Trapping
service, and clears the owner status of the hardware.
The following sample code is contention management in its
simplest form:
;---------------------------------------------------------------------
; VCONTEND_Check_Owner
;
; DESCRIPTION:
; Checks the current VM owner; if none, assigns
; device to VM. If the VM is an owning VM, returns
; carry clear, otherwise it returns carry set.
;
; ENTRY :
; EBX = VM Handle.
;
; EXIT:
; CLC if owner OK, or STC if contention
;
; USES :
; FLAGS
;---------------------------------------------------------------------
BeginProc VCONTEND_Check_Owner, High_Freq
push eax
mov eax, hOwnerVM
or eax, eax
jz SHORT CO_Assign_To_VM
cmp eax, ebx
jne SHORT CO_Failure
CO_Success:
pop eax
clc
ret
CO_Assign_To_VM:
mov hOwnerVM, ebx
jmp SHORT CO_Success
CO_Failure:
pop eax
stc
ret
EndProc VCONTEND_Check_Owner
;---------------------------------------------------------------------
; VCONTEND_IO_Index_Reg
;
; DESCRIPTION:
; Handles IO trapping.
; This is a virtual R/W index register.
;
; ENTRY :
; EBX = VM Handle.
; ECX = Type of I/O
; EDX = Port number
; EBP = Pointer to client register structure
;
; EXIT :
; EAX = data input or output depending on type of I/O
;
; USES :
; FLAGS
;---------------------------------------------------------------------
BeginProc VCONTEND_IO_Index_Reg, High_Freq
call VCONTEND_Check_Owner
jc SHORT IIR_Exit
Dispatch_Byte_IO_Fall_Through, Note that with this method of contention management, the
hardware remains in the state the last owning VM left it in.
You may decide to define an initial state for a VM in the VM
control block and update the state when the VM releases the
hardware. When a VM acquires the hardware, the state would
be copied from the VM's control block to the hardware.
As demonstrated in the preceding code fragments, it is
possible to simulate (or virtualize) hardware through the
use of trapped I/O interfaces. The Windows 3.1 Device Driver
Kit contains sources to VxDs that simulate hardware such as
the Virtual DMA Device and the Virtual COMM Device. You
should investigate these sources for examples of more
complex interfaces.
VxDs can use these techniques to translate common hardware
interfaces to new or improved hardware interfaces and
maintain the backward compatibility of the older platforms
for MS-DOS applications.
To fully virtualize a hardware interface, your VxD may need
to incorporate IRQ virtualization and/or DMA virtualization.
These topics are covered in Chapters 7 and 8, respectively.
The Virtual Programmable Interrupt Controller Device
(VPICD) provides an interface to hook (virtualize) IRQs,
query information about the state of a hooked IRQ, simulate
hardware interrupts to VMs, share interrupts, and handle
interrupts in the System VM with a single ISR interface using
the bimodal interrupt interface.
During initialization, the VPICD configures the PICs (slave
and master), hooks the IDT entries, and establishes default
handling for non-virtualized IRQs. The PICs are virtualized
to all VMs. When a VM masks an interrupt, it is
communicating with the VPICD and does not perform I/O
directly to the PIC. VPICD provides services to affect the
physical state of the PICs. It is strongly recommended that
VxDs use this interface to change the physical state of a
virtualized IRQ.
IRQ virtualization is recommended for hardware devices that
use hardware interrupts as a form of communication with
device drivers. There are several reasons for this
recommendation: The most common complaint of interrupt processing under
Windows is the interrupt latency issue introduced by
simulating interrupts to VMs. Additionally, you may be
interested in monitoring interrupt response from a hardware
device before simulating the interrupt to a VM. In these
cases, IRQ virtualization is required.
Before discussing IRQ virtualization in detail, we need to
explain the default operation of VPICD when an interrupt is
not virtualized. By default, all IRQs are "virtualized" by
VPICD. If the intemzpt was unmasked prior to starting Win386
(or the special case of IRQ 9), the default owner is global.
Otherwise, no default owner exists.
The default hardware interrupt procedure (Hw_Int_Proc)
simulates an interrupt to the current VM if the IRQ is
unowned. When the IRQ is global, VPICD simulates the
interrupt to the current critical section owner or the
current VM, if there is no critical section owner. Also,
interrupts simulated for global IRQs are nested in the VM
until the nesting has been "unwound", but non-owned
interrupts are always simulated to the current VM in all
circumstances.
When an interrupt is simulated to a VM (by a default IRQ
handler or using the VPICD_Set_Int_Request service), the VM
priority is boosted and the IRET procedure is hooked to
notify the IRET procedure when the interrupt has been
completed. These events only occur when the IRQ is not
nested.
End-of-Interrupt results when the VM issues an EOI to the
virtual PIC. The default EOI handler clears the virtual
interrupt request and performs a physical EOI using the
VPICD_Clear_Int_Request and VPICD_Phys_EOI services
respectively.
By default each unowned or global interrupt procedure has a
timeout of SOOms. A VM timeout is scheduled to watch the
interrupt processing time in a VM. If the ISR in the VM does
not service the interrupt within the specified timeout
period, VPICD continues execution as though the ISR had
issued an IRET. The timeout is canceled when the VM issues
an IRET (or the last IRET in a nested block).
VPICD simulates a level-triggered PIC. That is, when a
virtual EOI occurs another interrupt will be simulated
immediately unless the virtual interrupt request has been
cleared by the VPICD_Clear_Int_Request service.
óIRQ VirtualizationÓ
A VxD can change the default behavior of interrupt
processing by virtualizing the IRQ using the VPICD_virtualize_IRQ
service. The VxD fills the following
structure and calls this service to obtain an IRQ handle: Some of the elements of this structure require further
detail: A VxD must virtualize an interrupt during device
initialization. It is recommended that the VxD virtualize
the interrupt during Sys_Critical_Init if you are using IRQ
9 to avoid problems introduced when interrupts occur between
the Sys_Critical_Init and Device_Init control messages.
The following sample code demonstrates the use of VPICD
services to virtualize an IRQ: When the hardware intenupt occurs, the following procedures simulate the interrupt to the
current VM and clear the interrupt when the ISR issues an EOI to the virtual PIC:
;=========================================================================
; H A R D W A R E I N T E R R U P T P R O C E D U R E S
;=========================================================================
VxD_LOCKED_CODE_SEG
;------------------------------------------------------------------------
; VIRQD_Hw_Int_Proc
;
; DESCRIPTION:
; Hardware interrupt handler. Called by VPICD.
;
; ENTRY :
; EAX = IRQ handle
; EBX = current VM handle
;
; EXIT:
; CLC if processed, STC otherwise.
; USES :
; Flags.
;------------------------------------------------------------------------
BeginProc VIRQD_Hw_Int_Proc, High_Freq
Trace_Out ""
VxDCall VPICD_Clear_Int_Request
VxDCall VPICD_Phys_EOI
ret
EndProc VIRQD_EOI_Proc
VxD_LOCKED_CODE_ENDS
Note that services called during the processing of the Hw Int Proc procedure must be
declared asynchronous (see Chapter 2 for a complete list of asynchronous services). If a
VxD requires the use of a non-asynchronous service to continue interrupt processing, the
VxD must schedule a global event to continue. The debug version of WIN3B6.EXE
notifies you when you attempt to call a non-asynehronous service during interrupt
processing. Heed the warnings of VMM, lest your ignorance cause the system to crash.
óShared IRQ ProceduresÓ
If the hardware platform supports shared interrupts (Micro Channel Architecture) or the
device is using an ISA shared interrupt strategy, the IRQ can be virtualized specifying the
VPICD_Opt_Can_Share flag in the VID_Options element of the
VPICD_IRQ_Descriptor structure. When the hardware interrupt is dispatched to the
Hw_Int_Proc, the VxD should determine whether the interrupt was generated by the
associated hardware device and, if so, process the interrupt and return with carry clear. If
the interrupt was not generated by the supported hardware, the VxD should return
immediately with carry clear. VPICD will continue to walk the shared interrupt list until a
VxD responds with carry set.
Note that the VxD cannot assume that subsequent calls to other callback procedures
specified in the IRQ descriptor structure are the result of an interrupt for the associated
hardware device. The VxD should set a flag when it has simulated an intenupt to a VM
and test against this flag when notifications from VPICD are processed. When the VxD
processes the EOI_Proc it should clear the flag, perform the necessary EOI procedures,
and then return.
The example below demonstrates a very simple IRQ virtualization. The VIRQD_Hw_Int_Proc
simply sets the interrupt request for the current VM and returns. When the ISR
performs an EOI to the PIC, the VIRQD_EOI_Proc clears the interrupt request and
performs a physical EOI.
When a VxD requests an interrupt for a VM using the vPICD_Set_Int aequest
service, the interrupt simulation may not occur immediately. There are several conditions
that do not allow an interrupt to be simulated immediately: In these cases, the interrupt is simulated as soon as the conditions are met.
Note that using VPICD_Set_Int_Request does not guarantee that an interrupt will be
simulated to a VM. For example, if a VM has masked and never unmasks the IRQ, the
interrupt will not be simulated. Additionally, a call to VPICD_Clear_Int_Request
before the interrupt has been simulated prevents the VM from receiving the intemzpt.
The example also does not demonstrate proper techniques when processing hardware
interrupts for device contention management. The VIRQD_Hw_Int_Proc should be
expanded to first determine whether an owner VM exists and then simulate the interrupt to
that VM, as follows: To reduce the interrupt latency of servicing a hardware device contained in ISR code of a
VM, a VxD can service intenupts directly during processing of the Hw_Int_Proc
procedure. In cases where a steady stream of data is processed, the VxD should buffer the
information from the hardware device and provide the information to the owning VM in
chunks.
A Hw_Int_Proc for servicing an interrupt directly might be similar to this: In this example, VIRQD_Hw_Int_Proc does not set the interrupt request for the VM. The
VIRQ_Service_Hardware procedure may set an interrupt request to the owning VM
when a threshold has been reached. This is strictly determined by the requirements of your
hardware and the maximum amount of CPU load you wish to generate. The VxD could
also use some other form of communication to a driver in a VM, such as nested execution
or updating global memory buffers.
Additionally, the VIRQ_EOI_Proc would not perform a physical EOI of the PIC. Its only
requirement would be to clear the interrupt request status for the VM if simulated
interrupts are used to communicate with the VM's device driver.
Note that interrupt simulation is an expensive procedure. Ring transitions and VM context
switches are often a result of interrupt simulation, and reducing simulated interrupt
generation w'ill help reduce the total burden of the CPU.
Bimodal interrupt handlers are a new feature of the Windows 3.1 VPICD that allows a
Windows device driver (or DLL) to service inten-upts without waiting for VPICD to
simulate an interrupt to the System VM and can avoid the associated delays of VM focus
changes and VM event processing. Interrupt latency can be reduced using these services
while maintaining a common code base for the ISR under Standard and Enhanced Mode
Windows. Note that servicing interrupts directly in a VxD (as discussed in the preceding
section ) yields minimal interrupt latency.
The following services are available through the PM API of the VPICD to install and
remove bimodal interrupt handlers: The VPICD API can only be accessed via the protected mode API entry point. It is not
available to V86 VMs. To access the VPICD API, a VM obtains the API entry point: Under Windows 3.0, the VPICD entry point will be NULL, because it does not support
any API functionality. If the entry point is not NULL, VPICD's version can be obtained: A DLL installs and removes a bimodal IRQ handler using the VPICD API Install and
VPICD_API_Remove functions respectively: In these routines, the Bimodal_Int Struc (BIS) is referenced. This structure has the
following format: The field definitions of this structure are detailed as follows: VPICD automatically creates GDT aliases for the ISR code and data segments as specified
in BIS_User_Mode_CS and BIS_user_Mode_DS, respectively. Additionally, the caller
can request that VPICD create GDT aliases for a number of selectors specified by
BIS_Descriptor_Count. The user-mode selectors are filled in an array of the
EBIS_Sel_Struc structures immediately following the Bmodal_Int_Structure. The
associated GDT aliases are returned in the EBI_Super_Mode_Sel element of each of the
EBIS_Sel_Struc structures. For example, the Windows 3.1 COMM driver uses this
functionality to create GDT aliases of the receive and transmit queues.
A DLL creates a Bimodal_Int_Struc and fills the appropriate fields. When the IRQ occurs,
VPICD calls the ISR directly at ring 0, regardless of the current VM. On entry to the ISR,
the CS is set to the GDT alias of the ISR code segment and ES:DI is set to the GDT alias
of the Bimodal_Int_Struc. If this structure is located in the data segment, you can make the
data addressable by moving ES into DS.
The ISR executes at ring 0 (CPL=0) through a 16-bit GDT code segment alias. As with
calling TSR code directly from a VxD, the provided stack is a Use32 segment and
parameter passing must reference the stack using 32-bits (ESP and EBP). The ISR cannot
switch to a different stack unless a ring 0 stack selector is created. Note that a DLL cannot
legally create such a selector.
The ISR must return from the procedure with a far return and carry clear if the IRQ was
serviced or carry set if the IRQ was not serviced. When the ISR is called directly by
VPICD, it must not manipulate the PIC directly. Instead, VPICD provides services through
the BIS Super Mode API procedure to perform these operations: The BIH_API_Call_Back procedure is useful for calling routines that do not have GDT
aliases or that must be executed in a specific VM. A common use of this service is to call a
routine in the driver that posts a message using the PostMessage() Windows API.
Note: VMM schedules event services to process the callback in the specified VM. The
callback is not executed synchronously. A driver should not post more than one event
without notification that the event has been processed. If multiple events are posted
without verifying that outstanding callbacks already exist, the VMM event services may
run out of resources and crash the system.
The Virtual DMA Device (VDMAD) provides services that allow a VxD to take control of
a DMA channel. A VxD using these services can intercept the DMA requests and modify
the VM state causing the VM to believe that the request completed. Also, it is possible to
translate or modify the VM's request before the physical state of the DMA controller is
updated. Additionally, by using these services, a VxD can add another level of hardware
contention management or indirectly replace portions of VDMAD's default handling.
All DMA channels are virtualized by VDMAD to map DMA requests by drivers to the
physical hardware. VDMAD validates the memory region supplied by the driver, and if
necessary, allocates the region from an internal DMA buffer.
Certain restrictions imposed by the DMA controller require the region management of
VDMAD:[Footnote:For simplicity, this discussion only reference the hardware with the lowest common
denominator, the 8253 DMA controller. Other controllers may support advanced features, but
for proper coverage by your VxD, this controller interface constrains the functionality of the
DMA interface.]
VDMAD breaks up requests into partial DMA transfers to satisfy these requirements.
DMA buffers submitted using the auto-init mode of the DMA controller cannot be broken;
consequently, these requests must be submitted with regions adhering to the restrictions.
For this reason, auto-init-mode DMA requires special memory management on behalf of
the device driver.
Note that this discussion does not cover advanced DMA topics, such as bus-mastering
devices and DMA controllers supporting scatter-gather.
As a VM programs the DMA controller, the controller s virtual state is updated, but state is
not submitted to the hardware until the VM unmasks the channel. This is important to
remember when you are debugging drivers using DMA. To display the channel status, use
the debug version of Win386 supplied with VxD-Lite and query VDMAD.
After the VM has unmasked the channel, VDMAD attempts to lock the memory region, as
programmed by the VM. If it is unsuccessful, VDMAD buffers the DMA transfer and
modifies the DMA controller s physical state.
VDMAD uses the VPICD_Hw_Int_Proc service to provide a watchdog event to poll for
the DMA controllers terminal count when non-auto-init-mode DMA transfers are
requested. When the DMA controller has completed the request, the necessary buffers are
updated (if a read operation was requested and buffers were allocated) and the VM's
virtual DMA state is updated to reflect the completed transfer.
A VxD can modify the DMA controllers virtual and physical states using the
VDMAD_Set_Virt_State and VDMAD_Set_Phys_State services, which are usually
incorporated with a handle of DMA channel that has been virtualized by a VxD.
A VxD uses DMA virtualization to add functionality to the base support of VDMAD. A
VxD can use this virtualization to change the virtual state before the request is submitted to
the hardware. To virtualize a DMA channel, a VxD uses the VDMAD_Virtualize_Channel service: When a VM has changed the virtualized DMA controller s mask state, it calls the supplied
procedure, in this case VSIMPLED_Virtual_DMA_Trap.
The VxD can modify the virtual state of the VM and then call the default handler,
VDMAD_Default_Handler, to allow VDMAD to continue the region management as
follows: If necessary, a VxD can handle the actual DMA buffer translation and program the þ.
physical state of the DMA controller. This type of virtualization requires the use of the
VDMAD buffer copy and region management services (listed in Appendix A).
Additionally, a VxD can translate the DMA request to a replacement interface, such as
those supplied by the PCMCIA hardware implementations. Again, the VxD must virtualize
the DMA channel and process the notifications from VDMAD.
Although some of the buffer management details are discussed in the next section, you
should investigate the VDMAD sources provided in the Microsoft Windows 3.1 Device
Driver Kit for code samples and to develop a better understanding of the operation of
VDMAD.
As already mentioned, the primary purpose of VDMAD is to buffer DMA requests and to
map the regions to memory accessable by the DMA controller. DMA region mapping is
automatically performed by VDMAD on a non-virtualized channel when the DMA
channel is unmasked. A VxD virtualizing a DMA channel can use these services without
additional code overhead simply by calling the VDMAD_Default_Handler. When a
non-standard interface is implemented, some or all of the region mapping services of
VDMAD will be needed.
To request a DMA buffer from VDMAD and copy information from a VM to this buffer,
the VxD uses the VDMAD_Request_Buffer and VDMAD_Copy_To_Buffer services: To prepare the hardware state, the VxD updates the region information and programs the
physical state to the DMA controller. The VxD starts DMA transfer by unmasking the
channel: Note that these code fragments are very simple and incomplete. For instance, the VxD
does not check to see whether the region can be locked by using the
VDMAD_Lock_DMA_Region service before requesting the buffer from VDMAD.
When a DMA channel is unmasked using the VDMAD_UnMask_Channel service, the
ownership of the DMA channel is assigned to the requesting VM. VDMAD sets up the
watchdog event to modify the virtual channel state when the terminal count is reached for
non-auto-init-mode transfers. When the watchdog event determines that the channel has
reached terminal count, VDMAD virtually masks it. If the operation was a DMA write
operation, the buffer is copied to the VM's linear address, as supplied with
VDMAD_Set_Region_Info. The virtual count register is updated, the channel is
physically masked, and the channel owner is set to NULL.
VDMAD always attempts to complete the DMA transfer when the channel has been
unmasked by using the VDMAD_UnMask_Channel service. To completely control the
DMA channel in your VxD, you can virtualize the DMA channel using a NULL handling
procedure and then program the DMA controller directly from your VxD. VDMAD will
continue to trap the I/O range for the controller but will not update the physical state.
Alternatively, you can provide a virtual DMA handling procedure and program the
controller directly by using the virtual controller state information as provided by
VDMAD. When using this implementation, you must avoid VDMAD services that affect
the physical state or make assumptions about the ownership of the channel. Also, you need
to resolve contention by other VMs in your procedure. Consult the VDMAD sources for
further details.
The Virtual Keyboard Driver (VKD) provides an interface to the keyboard that allows a
VxD to trap for hot keys, simulate keystrokes into a VM, and simulate a paste operation
from a supplied buffer into a VM. This interface can be used to force certain actions in a
VxD or to serve as form of communication between a VxD and an active application in a
VM.
Hot keys are registered with the VKD through the VKD_Define_Hot_Key service. Hot
keys are enabled and disabled on a per-VM basis using the VKD_Local_Enable_Hot_Key
and VKD_Local_Disable_Hot_Key services when the Local_Key flag is
specified, as follows: To disable these keys by default, use the VKD Local Disable Hot Key service
during the Sys VM_Init and VM Critical_Init message processing: Once a hot key has been enabled in a VM the VxD receives a notification from VKD
whenever the hot key is pressed and processes it accordingly: VKD provides services to force keys to a VM's keyboard buffer, so that the VM reacts as
the key had been pressed on the physical keyboard. The buffer passed to the
VKD_Force_Keys service contains actual keyboard scan eodes, such as the "key down,"
"key repeat," and "key up" codes. Using the force keys service is quite simple, but determining which scan codes to send is
probably the most time-consuming part of using this interface.
The concept of writing VxDs in 'C' has been widely misunderstood. Writing VxDs in 'C' is
not impossible -- on the contrary, you can do it without a great deal of grief. Forget
everything anyone has every told you about writing VxDs in 'C' and open your mind.
VxDs wrtten in 'C' are the wave of the future, not just a passing fad.
VMM does not look in the object code of VxDs for magical embedded notations to
determine whether the code was generated by a 'C' compiler or the magical MASM 5.lOB
assembler. When a good 386 32-bit 'C' compiler generates the necessary code, the
LINK3B6 linker will link the objects and generate a proper executable, which can be called
a VxD.
The main hurdle to overcome when writing VxDs in 'C' is that a great portion of VMM
services require either parameter passing using registers or that the mystical dynalinking
macro must be used to generate the code to call VxD or VMM services. Additionally,
services declared by VxDs are created with tables hidden by the VMM.INC macros and
the actual procedure entry points are renamed with a new prefix. But that doesn't mean that
it's time to give up and return to assembly, only that you may not be able to write all of
your VxD in 'C'. Some assembly may be required: I affectionately refer to this as MASM-
tape.
The limitations and restrictions of writing a VxD in 'C' include the following Most compilers support the #pragma code_seg and #pragma data_seg directives.
The following directives will define the necessary segments and classes: When developing the samples in 'C' for this book, I experienced problems with the
WATCOM C/386 compiler using the #pragma code_seg directive and was forced to
use command line options to define the segment and class names (see the sample makefiles
for more information). Also, some 'C' compilers may not support multiple segment
declarations in a single module. You may be required to create one module for
initialization code and data, another for locked code and data and another for pageable
code and data.
A VxD entry point is defined in the Device Declaration Block (DDB) as defined in
Chapter 1. The DDB is exported using a.DEF file. A typical export is as follows: In order to maintain compatibility with this naming conventionH, the compiler must not
generate the 'C'-style underscore prefix. The WATCOM C/386 compiler provides an
option for disabling this namiing convention.
The DDB structure, as defined using 'C', is as follows: The following example declares a DDB within a 'C' module: To provide an interface to the register parameters for VxD control procedures, an
assembly wrapper is necessary. This procedure creates a 'C' stack frame and calls the
associated procedure as defined in a dispatch table: When the VxD control procedure is called by VMM, the vmmwrapVxDControlProc
(provided by VMMWRAP.ASM) walks this table and dispatches the system message to
the associated procedure. Note that vmmwrapVxDControlProc uses a linear search
algorithm; consequently, the least-frequent system events should be located at end of the
table. Some of the dispatch functions have slightly different prototypes, not listed here
becausse the sample sources demonstrate their use and the VMMWRAP.ASM code is well
documented.
The following code excerpt demonstrates a VxD initialization procedure as written in 'C': óWrapping VxD ServicesÓ
As mentioned earlier, VxD service calls to other VxDs or VMMs use the lnt 20h dynalink
interface. Embedding this code throughout your VxD is inefficient, and some form of 'C' to
assembly interface is necessary with some services because of register parameter passing.
VMMWRAP.ASM defines a large number of 'C' callable routines that convert stack
parameters into the correct register parameter interfaces used by the various services and
return the results of the serviee call. For example, the VMM service List Create uses
the ECX, EAX, and ESI registers to define a node size and tlags and to return a handle to
the list. It then becomes necessary to provide an C-callable interface:
; DWORD PASCAL vmm List Create( UINT u Node Size, UINT u Flags )
;
; DESCRIPTION:
; Creates a new list structure.
;
; PARAMETERS:
; UINT uNodeSize
;
; UINT uFlags
; Specifies the creation flags, it can be a
; combination of the following values:
;
; _LF_Alloc_Error, LF_Async, LF_Use_Heap
;
; RETURN VALUE :
; DWORD
; handle to the list or NULL if failure
;------------------------------------------------------------------
BeginProc vmmListCreate, PUBLIC
uFlags equ [ebp + 8]
uNodeSize equ [ebp + 12]
push ebp
mov ebp, esp
push esi
push ecx
mov ecx, uNodeSize
mov eax, uFlags
VMMCall List_Create
pop ecx
mov eax, esi
pop esi
jnc SHORT VLC_Exit
xor eax, eax
VLC_Exit:
pop ebp
ret 8
EndProc vmmListCreate
A VxD in 'C' can then call this service as follows: óThunking CallbacksÓ
A thunk is a piece of assembly code that fronts your 'C' procedure to map registers as
passed by VMM to a 'C' stack frame and then calls your procedure. A thunk also converts
the 'C' return value to the expected return value for the callback. Callbacks are used by
VMM and other VxDs for notifieation and event processing. For example, when a V86
page is hooked, a page fault handler in the VxD is called to resolve the fault.
A thunk is created "on the t1y" by a thunking procedure. Given a procedure address, a
thunking procedure copies the base code, patches the necessary offsets, and returns a
pointer to this piece of code. An advantage to using tlat model code here is that a VxD can
reference code and data with the same offset. Creating executable code with a simple heap
allocation is easy, because seleetor restrictions are not an issue. For example, the following
will create a procedure thunk for a generic VMM event callback: To avoid page faults while executing thunk code, allocate a non-pageable memory block
for a thunk table on the first call to Allocate_Procedure_Thunk. To simplify thunk
allocation management, the allocation routine uses a fixed, maximum thunk size; this
routine could be improved to be more memory efficient. The actual thunk code is
embedded in the specific thunk allocation procedure. After the memory allocation for the
thunk has been performed, the thunk code is copied and patched with the correct offset to
the caller's provided procedure address. Thunks should be created only once per
procedure, as follows: óService TablesÓ
Service tables are best left to assembly. Although it is possible to create a service table
using 'C', there are many restrictions: A service table can be declared in 'C' as follows: The service table must be located in the locked data segment. The DDB should be contain
a pointer to service table and number of services declared.
If your VxD is replacing a standard VxD, such as the Virtual Display Driver, a service
interface already exists. To support this interface and to allow the VxD service procedures
to be written in 'C', the service entry points are thunked using a macro, such as the
following to provide an interface to the register parameters: The VSIMPLED VxD introduced in Chapter 1 has been rewritten in 'C' to demonstrate
some of the techniques discussed in this chapter:Device Contention Management
Simulating Hardware
Chapter 7
IRQ Virtualization
Default VPICD Handling
IRQ Virtualization and Sharing
VPICD_IRQ_Descriptor STRUC
VID_IRQ_Number dw ?
VID_Options dw 0
VID_Hw_Int_Proc dd ?
VID_Virt_Int_Proc dd 0
VID_EOI_Proc dd 0
VID_Mask_Change_Proc dd 0
VID_IRET_Proc dd 0
VID_IRET_Time_Out dd 500
VPICD_IRQ_Descriptor ENDS
;=========================================================================
; I N I T D A T A
;=========================================================================
VxD_IDATA_SEG
VIRQD_IRQ Descriptor VPICD_IRQ_Descriptor <, \
OFFSET32 VIRQD_Hw_Int_Proc"\
OFFSET32 VIRQD_EOI_Proc",>
VxD_IDATA_ENDS
;=========================================================================
; I N I T C O D E
;=========================================================================
VxD_ICODE_SEG
;-------------------------------------------------------------------------
; VIRQD_Device_Init
;
; DESCRIPTION:
; Non critical system initialization procedure.
; ENTRY :
; EBX = Sys VM handle
;
; EXIT :
; CLC if everything's A-OK, otherwise STC
;
; USES :
; Flags.
;------------------------------------------------------------------------
BeginProc VIRQD_Device_Init
Trace_Out "VIRQD: Device_Init"
push eax
push edi
mov edi, OFFSET32 VIRQD_IRQ_Descriptor
mov [edi.VID IRQ Number], VIRQD_Interrupt
VxDCall VPICD Virtualize_IRQ
ifdef DEBUG
jnc SHORT @F
Debug_Out "VIRQD: Unable to virtualize IRQ"
jmp SHORT DI_Exit
@@:
else
jc SHORT DI_Exit
endif
mov hVirtIRQ, eax
DI_Exit:
pop edi
pop eax
ret
EndProc VIRQD_Device_Init
VxD_ICODE_ENDS
Dispatching IRQs to a VPM
;------------------------------------------------------------------------
; VIRQD_Hvr_Int_Proc
;
; DESCRIPTION:
; Hardware interrupt handler. Called by VPICD.
; simulates the interrupt to the hardware owner or
; to the current VM if unowned.
;
; ENTRY :
; EAX = IRQ handle
; EBX = current VM handle
; EXIT :
; CLC if processed, STC otherwise.
;
; USES :
; EBX, Flags.
;------------------------------------------------------------------------
BeginProc VIRQD_Hw_Int_Proc, High_Freq
Trace_Out " < i "
cmp hOwnerVM, 0
je SHORT HIP_Setlt
mov ebx, hOwnerVM
HIP_Set_It:
VxDCall VPICD_Set_Int_Hequest
clc
ret
EndProc VIRQD_Hw_Int_Proc
Servicing Interrupts in a VxD
;------------------------------------------------------------------------
; VIRQD_Hw_Int_Proc
;
; DESCRIPTION:
; Hardware interrupt handler. First, EOI the PIC
; so we avoid missing another IRQ generated by the
; device. Call a procedure elsewhere in the VxD to
; service the hardware device and then return.
;
; ENTRY :
; EAX = IRQ handle
; EBX = current VM handle
; Interrupts are disabled.
;
; EXIT :
; CLC if processed, STC otherwise.
;
; USES:
; EBX, Flags.
;------------------------------------------------------------------------
BeginProc VIRQD Hw_Int_Proc, High_Freq
Trace_Out " < i > "
VxDCall VPICD_Phys EOI
call VIRQD_Service_Hardware
clc
ret
EndProc VIRQD_Hw_Int_Proc
Bimodal Interrupt Handlers
VPICD_API_Get_Ver retrieve the VPICD version
VPICD_Install_Handler install a bimodal IRQ handler
VPICD_Remove_Handler remove a bimodal IRQ handler
VPICD_Device_ID EQU 0003h
VPICD_API_Get_Ver EQU 0000h
VPICD_Install_Handler EQU 0001h
VPICD_Remove_Handler EQU 0002h
VPICD_Call_At_Ring0 EQU 0003h
xor di, di
mov es, di
mov ax, 1684h ; get API entry point
mov bx, VPICD_Device_ID ; of the VPICD
int 2fh
mov word ptr lpVPICDEntry, di
mov word ptr lpVPICDEntry + 2, es
mov ax, es
or ax, di
jz SHORT No_VPICD_API
Get_VPICD_Version:
mov ax, VPICD_API_Get_Ver
call dword ptr lpVPICDEntry
jc SHORT VPICD_Error
cmp ax, 30Ah
jbe SHORT VPICD_Error
Install_Bimodal_Handler:
les di, lpBIS ; pointer to BIS struct.
mov ax, VPICD_Install_Handler
call dword ptr lpVPICDEntry
jc SHORT VPICD Error
Remove_Bimodal_Handler:
les di, lpBIS ; pointer to BIS struct.
mov ax, VPICD_Remove_Handler
call dword ptr lpVPICDEntry
jc SHORT VPICD_Error
Bimodal_Int_Struc STRUC
BIS_IRQ_Number dw ?
BIS_VM_ID dw 0
BIS_Next dd ?
BIS_Reserved1 dd ?
BIS_Reserved2 dd ?
BIS_Reserved3 dd ?
BIS_Reserved4 dd ?
BIS_Flags dd 0
BIS_Mode dw 0
BIS_Entry dw ?
BIS_Control_Proc dw ?
dw ?
BIS_User_Mode_API dd ?
BIS_Super_Mode_API dd ?
BIS_User_Mode_CS dw ?
BIS_User_Mode_DS dw ?
BIS_Super_Mode_CS dw ?
BIS_Super_Mode_DS dw ?
BIS_Descriptor_Count dw ?
Bimodal_Int_Struc ENDS
BIS_IRQ_Number VPICD installs a bimodal intenupt for the IRQ specified
by this field when the VPICD_Install_Handler API is
called.
BIS_VM_ID Contains the current VM ID when the inten`upt handler
specified by BIS_Entry is called.
BIS_Next Currently not used by the Windows 3.1 VPICD.
BIS_Flags Must be set to zero.
BIS_Mode Set to 0 to indicate user mode or 4 to indicate supervisor
mode. This value can be used as an offset to obtain the
appropriate user-mode or super-mode BIS API handler.
(Set by VPICD when calling the procedures defined by the
BIS_Entry and BIS_Control_Proc offsets.)
mov bx, es:[di.BIS_Mode) ; mode 0=user, 4=super
call es:[bx][di.BIS_User_Mode_API]
BIS_Entry Specifies the offset of the ISR from the CS specified in the
BIS_User_Mode_CS field. When VPICD calls the
interrupt handler for interrupt servicing, ES:DI points to
this structure. (Filled by caller for the call to
VPICD_Install_Handler.)
BIS_Control_Proc Specifies the offset of the control procedure from the CS
specified in the BIS_User_Mode_CS field. The control
procedure is currently not used by the Windows 3.1
VPICD, but should point to a dummy control procedure
that performs a far return. (Filled by the caller for
VPICD_Install_Handler.)
BIS_User_Mode_API Specifies the far address of the user-mode API procedure
entry point. (Filled by VPICD after a call to
VPICD_Install_Handler API.)
BIS_super_Mode_API Specifies the far address of the supervisor mode API
procedure entry point. (Filled by VPICD after a call to the
VPICD_Install_Handler API.)
BIS_User_Mode_CS Specifies the selector of the user-mode code segment of
the interrupt handler. The BIS Entry and
BIS_Control_Proc offsets must be relative to the code
selector specified by this field. (Filled by caller for
VPICD_Install_Handler.)
BIS_User_Mode_DS Specifies the selector of the user-mode data segment of the
interrupt handler. The Bimodal Int_Struc structure should
be located in this segment. (Filled by caller for
VPICD_Install_Handler.)
BIS_super_Mode_CS VPICD stores the GDT alias of the user-mode CS selector
in this field after a call to VPICD_Install_Handler.
BIS_Super_Mode_DS VPICD stores a GDT alias of the user mode CS selector in
this field after a call to VPICD_Install_Handler.
BIS_Descriptor_Count Specifies the number of EBIS_Sel_Struc structures
immediately following the Bimodal_Int_Struc
structure. VPICD creates a GDT alias for each of the
selectors in the structures that follow.
EBIS_Sel_Struc STRUC
EBIS_User_Mode_Sel dw ?
dw ?
EBIS_Super_Mode_Sel dw ?
EBIS_Sel_Struc ENDS
EBIS_User_Mode_Sel User mode selector
EBIS_Super_Mode_Sel GDT alias of selector created by VPICD after a call to
VPICD_Install_Handler.
BIH_API_EOI EQU 0000h
BIH_API_Mask EQU 0001h
BIH_API_Unmask EQU 0002h
BIH_API_Get_Mask EQU 0003h
BIH_API_Get_IRR EQU 0004h
BIH_API_Get_ISR EQU 0005h
BIH_API_Call_Back EQU 0006h
BIH_API_EOI Equivalent to calling VPICD_Phys_EOI.
BIH_API_Mask Equivalent to calling the VPICD_Physically_Mask
service.
BIH_API_Get_IRR Equivalent to calling the VPICD_Test_Phys_Request
service. Returns carry set if the physical interrupt request is
set.
BIH_API_Get_ISR Retrieves the in-service state of the IRQ. Returns with
carry set if the IRQ is in service.
BIH_API_Call_Back Uses the Call_Priority_VM_Event service to schedule an
event for the target VM specified BX. When the event
callback is processed, VPICD will use nested execution
services to simulate a far call to the address specified by
CX:DX.
Chapter 8
Virtualized DMA
Physical State vs. Virtual State
DMA Virtualization
;
; Tell VDMAD that we want to know about this
; DMA controller.
;
xor eax, eax
mov [gdwDMAHandle], eax
movzx eax, gbDMAChannel
mov esi, OFFSET32 VSIMPLED_Virtual_DMA_Trap
VxDCall VDMAD_Virtualize_Channel
mov [gdwDMAHandle], eax
jc SHORT VDC_Exit_Failure
;------------------------------------------------------------------
; VSIMPLED_Virtual_DMA_Trap
;
; DESCRIPTION:
; Forces DMA block mode and then calls the default
; DMA handler.
;------------------------------------------------------------------
BeginProc VSIMPLED_Virtual_DMA_Trap, High_Freq
VxDCall VDMAD_Get_Virt_State
test dl,DMA_requested
jz SHORT VDT_Exit
test dl,DMA_masked
jnz SHORT VDT_Exit
; Force block mode DMA,channel is requested and
; unmasked by the VM.
and dl,NOT (DMA_mode_mask)
or dl, DMA_block_mode
xor dh, dh
VxDCall VDMAD_Set_Virt_State
VDT_Exit :
VxDCall VDMAD_Default_Handler
ret
EndProc VSIMPLED_Virtual_DMA_Trap
DMA Region Mapping
;
; Request a buffer from VDMAD and copy from VM
; On entry, EAX is DMA handle, EBX is VM handle.
;
VxDCall VDMAD_Get_Virt_State
push edx ; save mode for later
push ebx ; save VM for later
; ESI = linear address
; ECX = count
; DL/DH = mode/flags
test dl, DMA requested
jnz SHORT Buffer_New
test dl, DMA_masked
jnz SHORT Buffer_Clean_Up
VxDCall VDMAD_Request_Buffer
jc SHORT Error_No_Buffer
; EDX now contains the physical address of
; the DMA buffer..
test dl, DMA_type_read
jz SHORT Dont_Copy
; EBX = buffer handle
; ESI = linear region
; ECX = size
; EDI = offset
xor edi, edi
VxDCall VDMAD Copy_To_Buffer
jc SHORT Error_Copy
Dont_Copy:
pop ebx
VxDCall VDMAD_Set_Region_Info
pop edx
VxDCall VDMAD_Set_Phys_State
; Unmask the DMA channel to begin the transfer
VxDCall VDMAD_UnMask_Channel
Avoiding VDMAD Interference
Chapter 9
VKD and Keyboard ProcessingHot Keys
;
; Define hot keys for ctrl-pgup and ctrl-pgdn
;
mov al, 49h ; page-up
mov ah, ExtendedKey_B
ShiftState
VSIMPLED_Sys_VM_Init LABEL NEAR
BeginProc VSIMPLED_VM_Critical_Init
mov eax, ghhkCtrlPgUp
VxDCall VKD_Local_Disable_Hot_Key
mov eax, ghhkCtrlPgDn
VxDCall VKD_Local_Disable_Hot_Key
clc
ret
EndProc VSIMPLED_VM_Critical_Init
BeginProc VSIMPLED_Hot_Key_Handler
push eax
; Turn off hot key mode in case we're going
; to expand this to force keys. Don't want
; to be in hot key mode when forcing keys
; to a VM.
VxDCall VKD_Cancel_Hot_Key_State
cmp al, 49h
jne SHORT HK_PgDn
;
; Ctrl-Pg Up pressed...
;
Trace_Out "Control-Pg Up pressed in VM #EBX"
jmp SHORT HK_Exit
HK_PgDn :
;
; Ctrl-Pg Dn pressed...
;
Trace_Out "Control-Pg Dn pressed in VM #EBX"
HKKH_Exit :
pop eax
ret
EndProc VSIMPLED_Hot_Key_Handler
Simulating Keystrokes to VMs
;
; This code snippet just forces Pg Dn and Pg Up
; to the VM in place of Ctrl-Pg Dn and Ctrl-Pg Up.
;
ForceKey_Buffer_Down label byte
db 51h, D1h
ForceKey_Buffer_Down_Len equ $-ForceKey_Buffer_Down
ForceKey_Buffer_Up label byte
db 49h, C9h
ForceKey_Buffer_Up_Len equ $-ForceKey_Buffer_Up
BeginProc VSIMPLED Hot Key_Handler
push eax
;
; Don't want to be in hot key mode
; when forcing keys to a VM.
;
VxDCall VKD_Cancel_Hot_Key_State
cmp al, 49h
jne SHORT HK_PgDn
;
; Ctrl-Pg Up pressed...
;
Trace_Out "Control-Pg Up pressed in VM #EBX"
mov ecx, ForceKey_Buffex_Up_Len
lea esi, ForceKey_Buffer_Up_Len
jmp SHORT HK_ForceEm
HK_PgDn:
;
; Ctrl-PgDn pressed...
;
Trace_Out "Control-PgDn pressed in VM #EBX"
mov ecx, ForceKey_Buffer_Down_Len
lea esi, ForceKey_Buffer_Down
HK_ForceEm:
VxDCall VKD_Force_Keys
IFDEF DEBUG
jnc SHORT @F
Debug_Out "VKD Force Keys failed!"
@@:
ENDIF
pop eax
ret
EndProc VSIMPLED_Hot_Key_Handler
Chapter 10
Writing VxDs in C
Segment Attributes
VxD segments require the following specific attributes:
// code and data segment directives for init code
#pragma code_seg( "_ITEXT", "ICODE" )
#pragma data_seg( "_IDATA", "ICODE" )
// code and data segment directives for pageable code
#pragma code_seg( "_TEXT", "PCODE" )
#pragma data_seg( "_DATA", "PCODE" )
// code and data segment directives for locked code
#pragma code_seg( "_LTEXT", "LCODE" )
#pragma data_seg( "_LDATA", "LCODE" )
A 'C' -callable Wrapper for VMM
EXPORTS
VSIMPLED_DDB @1
#define DDK_Version 0x30A
typedef struct tagVxD_Desc_Block
{
DWORD DDB_Next ; // VMM reserved field
WORD DDB_SDK_Version // VMM reserved field
WORD DDB_Req_Device_Number ; // Required device number
BYTE DDB_Dev_Major_Version ; // Major device number
BYTE DDB_Dev_Minor_Version ; // Minor device number
WORD DDB_Flags ; // Flags init calls complete
BYTE DDB_Name[ 8 ] ; // Device name
DWORD DDB_Init_Order ; // Initialization Order
DWORD DDB_Control_Proc ; // Offset of control procedure
DWORD DDB_V86_API_Proc ; // Offset of API procedure
DWORD DDB_PM_API_Proc ; // Offset of API procedure
DWORD DDB_V86_API_CSIP ; // CS:IP of API entry point
DWORD DDB_PM_API_CSIP ; // CS:IP of API entry point
DWORD DDB_Reference_Data ; // Ref. data from real mode
DWORD DDB_Service_Table_Ptr ; // Pointer to service table
DWORD DDB_Service_Table_Size ; // Number of services
} DDB ;
#include <vmm.h>
#include "vsimpled.h"
#pragma data_seg( "_LDATA", "CODE" )
// ============================================================
// V I R T U A L D E V I C E D E C L A R A T I O N
// ============================================================
DDB VSIMPLED_DDB = { NULL, // must be NULL
DDK_Version, // DDK_Version
VSIMPLED_Device_ID, // Device ID
VSIMPLED_Major_Ver, // Major Version
VSIMPLED_Minor_Ver, // Minor Version
NULL,
"VSIMPLED",
Undefined_Init_Order,
(DWORD) vmmwrapVxDControlProc,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL } ;
//
// This table is used by the vmmwrap VxD Control Proc defined
// in VMMWRAP.ASM. It lists the messages and associated
// dispatch functions, it must be terminated with -1 and NULL.
//
DISPATCHINFO alpVxDDispatchProcs[} =
{ Create_VM, VSIMPLED_Create_VM,
Sys_Critical_Init, VSIMPLED_Sys_Critical_Init,
Device_Init, VSIMPLED_Device_Init,
-1, NULL } ;
#pragma data_seg( "_IDATA", "ICODE" )
// ============================================================
// I C O D E
// ============================================================
//-------------------------------------------------------------
// BOOL VSIMPLED_Device_Init
//
// Description:
// This is a non-system critical initialization procedure.
// IRQ virtualization, I/O port trapping, and VM control
// block allocation can occur here.
//
// Again, the same return value applies... TRUE for success,
// FALSE for error notification.
//
// Parameters:
// DWORD hVM
// System VM handle
//
// PSTR pCmdTail
// pointer to WIN.COM's command tail
//
// PCRS_32 pCRS
// pointer to System VM client register structure
//
//-----------------------------------------------------------------
BOOL CDECL VSIMPLED_Device_Init
(
DWORD hVM,
PSTR pCmdTail,
PCRS_32 pCRS
)
{
UNUSED_PARAM( hVM ) ;
UNUSED_PARAM( pCmdTail ) ;
UNUSED_PARAM( pCRS ),
vmmTrace Out( "VSIMPLED_Device_Init\r\n" ) ;
return ( TRUE ),
} // end of VSIMPLED Device Init()
// Create a list with elements of the type NODE
hList = vmmListCreate( sizeof( NODE ), 0 ) ;
;------------------------------------------------------------------
; EVENTPROC PASCAL vmmwrapThunkEventProc( EVENTPROC pProc )
; DESCRIPTION:
; Creates a procedure thunk for VxD generic event callbacks.
; PARAMETERS:
; DWORD pProc
; pointer to callback procedure, must have the form:
; VOID CDECL EventProc( DWORD hVM,
; DWORD dwRefData,
; PCRS_32 pCRS )
;
; RETURN VALUE :
; EVENTPROC
; pointer to thunk or NULL if failure
;------------------------------------------------------------------
BeginProc vmmwrapThunkEventProc, PUBLIC
pCRS equ [ebp]
pProc equ [ ebp + 8 ]
push ebp
mov ebp, esp
call Allocate_Procedure_Thunk
jc SHORT VEProc_Failure
jmp SHORT VEProc_CreateThunk
;===================
; Begin thunk code
EventThunk label byte
push pCRS
push edx ; uPage
push ebx ; hVM
call $
EventThunkCallAddr equ $-EventThunk
add esp, 12 ; fixup for CDECL
ret
EventThunkSize equ $-EventThunk
;
;End thunk code
;===================
VEProc_CreateThunk:
push ecx
push edi
push esi
;
; Copy the thunk...
;
lea esi, EventThunk
mov edi, eax
mov ecx, EventThunkSize
cld
shr ecx, 1
rep movsw
adc cl, cl
rep movsb
;
; Fix it up...
;
push eax
add eax, EventThunkCallAddr
mov esi, eax
sub esi, 4
sub eax, pProc
neg eax
mov dword ptr [esi], eax
pop eax
pop esi
pop edi
pop ecx
jmp SHORT VEProc_Exit
VEProc_Failure:
xor eax, eax
VEProc_Exit:
pop ebp
ret 4
EndProc vmmwrapThunkEventProc
// NOTE!!! p VMEMTRAP P Fault is a global pointer to the
// Page Fault procedure thunk.
if ( !pVMEMTRAP_PFault )
{
if (p VMEMTRAP_PFault =
vmmwrapThunkVB6PHProc( VMEMTRAP_P Fault ))
else
{
vmmDebugOut ( "Could not allocate Page Fault thunk: \r\n" ) ;
return ( FALSE ) ;
}
}
vmmHookV86Page( wPage, pVMEMTRAP_PFault );
return ( TRUE ) ;
#define VSIMPLED_Get_Version (VSIMPLED_Device_ID) << 16 + 0x0000
#define VSIMPLED_Get_Info (VSIMPLED_Device_ID) << 16 + 0x0001
DWORD CDECL I_VSIMPLED_Get_Version( VOID ) ;
BOOL CDECL I_VSIMPLED_Get_Info( PINFOSTRUCT ),
SERVICETABLE VSIMPLED_Service Table =
{
I_VSIMPLED_Get_Version,
I_VSIMPLED_Get_Info
}
Service_Thunk MACRO Service_Name, Type
IFNB
The service thunks are defined as follows using the macro
VXD_CODE_SEG
Service_Thunk VDD_Get_Version
Service_Thunk VDD_PIF_State
Service_Thunk VDD_Get_GrabRtn
Service_Thunk VDD_Hide_Cursor
Service_Thunk VDD_Set_VMType
Service_Thunk VDD_Get_ModTime
Service_Thunk VDD_Set_HCurTrk
Service_Thunk VDD_Meg_ClrScrn
Service_Thunk VDD_Meg_ForColor
Service_Thunk VDD_Meg_BakColor
Service_Thunk VDD_Meg_TextOut
Service_Thunk VDD_Meg_SetCursPos
Service_Thunk VDD_Query_Access
;
; New services for 3.1
;
Service_Thunk VDD_Check_Update_Soon
VXD CODE_ENDS
The service table is defined as usual:
.xlist
INCLUDE VMM. INC
PUBLIC VDD_Service_Table
Create VDD_Service_Table EQU True
INCLUDE VDD.INC
.list
Finally, a service procedure written in 'C' uses a pointer reference to the registers, as
provided by the thunk, to access the parameters:
//------------------------------------------------------------
//
// VOID VDD_PIF_State
//
// Description:
// Informs VDD about PIF bits for newly created VM.
//
// Parameters:
// PREGS pRegs
// pRegs -> ebx = VM handle
// pRegs -> ax = PIF bits
//
// Return (VOID) :
// Nothing.
//
//------------------------------------------------------------
VOID CDECL VDD_PIF_State
{
PREGS pRegs
}
{
PVDDCB pVMCB;
if (vmmTestSysVMHandle( p Regs -> ebx ))
wPIFSave = (WORD) p Regs -> eax ;
else
{
pVMCB = (PVDDCB) (pRegs -> ebx + dwVidCBOff) ;
if (pVMCB -> VDD_PIF != (WORD) pRegs -> eax)
{
pVMCB -> VDD_PIF = (WORD) pRegs -> eax ;
VDD_TIO_SetTrap( pRegs -> ebx, pVMCB ),
}
}
} // VDD PIF State()
VSIMPLED Sources in 'C'
VSDINIT.C
//------------------------------------------------------------
//
// Module: vedinit.c
//
// Purpose:
// Init code and data for VSIMPLED.
//
//------------------------------------------------------------
#include <vmm. h>
#include "vsimpled. h"
#pragma data_seg ( "_IDATA", "ICODE" )
//============================================================
// I C O D E
//===========================================================
//------------------------------------------------------------
// BOOL VSIMPLED_Sys_Critical_Init
//
// Description:
//
// On entry, interrupts are disabled. Critical initialization
// for thie VxD should occur here. For example, we can read
// settings from VMM's cached copy of the SYSTEM.INI and act
// set up our VxD as appropriate.
//
// This procedure is called when the VxD Control Proc
// dispatches the Sys_Critical_Init notification from VMM.
//
// We can notify VMM of euccess or failure by returning TRUE or
// FALSE.
//
// Parameters:
// DWORD hVM
// System VM handle
//
// DWORD dwRefData
// reference data passed from real-mode init
//
// PSTR pCmdTail
// pointer to WIN.COM's command tail
//
// PCRS_32 pCRS
// pointer to System VM client register structure
//
//------------------------------------------------------------
BOOL CDECL VSIMPLED_Sys_Critical_Init